Control of access to a memory by a device

ABSTRACT

The present invention provides a data processing apparatus and method for controlling access to a memory. The data processing apparatus has a secure domain and a non-secure domain, in the secure domain the data processing apparatus having access to secure data which is not accessible in the non-secure domain. The data processing apparatus comprises a device coupled to a memory via a device bus, and operable, when an item of data in the memory is required by the device, to issue onto the device bus a memory access request pertaining to either the secure domain or the non-secure domain. The memory is operable to store data required by the device, and contains secure memory for storing secure data and non-secure memory for storing non-secure data. In accordance with the present invention, the data processing apparatus further comprises partition checking logic coupled to the device bus and operable whenever the memory access request as issued by the device pertains to the non-secure domain, to detect if the memory access request is seeking to access the secure memory and upon such detection to prevent the access specified by that memory request. This approach significantly improves the security of data contained within a secure portion of memory.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention concerns techniques for controlling access to amemory by a device.

2. Description of the Prior Art

A data processing apparatus will typically include a processor forrunning applications loaded onto the data processing apparatus. Theprocessor will operate under the control of an operating system. Thedata required to run any particular application will typically be storedwithin a memory of the data processing apparatus. It will be appreciatedthat the data may consist of the instructions contained within theapplication and/or the actual data values used during the execution ofthose instructions on the processor.

There arise many instances where the data used by at least one of theapplications is sensitive data that should not be accessible by otherapplications that can be run on the processor. An example would be wherethe data processing apparatus is a smart card, and one of theapplications is a security application which uses sensitive data, suchas for example secure keys, to perform validation, authentication,decryption and the like. It is clearly important in such situations toensure that such sensitive data is kept secure so that it cannot beaccessed by other applications that may be loaded onto the dataprocessing apparatus, for example hacking applications that have beenloaded onto the data processing apparatus with the purpose of seeking toaccess that secure data

In known systems, it has typically been the job of the operating systemdeveloper to ensure that the operating system provides sufficientsecurity to ensure that the secure data of one application cannot beaccessed by other applications running under the control of theoperating system. However, as systems become more complex, the generaltrend is for operating systems to become larger and more complex, and insuch situations it becomes increasingly difficult to ensure sufficientsecurity within the operating system itself.

Examples of systems seeking to provide secure storage of sensitive dataand to provide protection against malicious program code are thosedescribed in U.S. Patent Application US 2002/0007456 A1 and U.S. Pat.No. 6,282,657 B and U.S. Pat. No. 6,292,874 B.

Accordingly, it will be desirable to provide an improved technique forseeking to retain the security of such secure data contained within thememory of the data processing apparatus.

SUMMARY OF THE INVENTION

Viewed from a first aspect the present invention provides a dataprocessing apparatus having a secure domain and a non-secure domain, inthe secure domain the data processing apparatus having access to securedata which is not accessible in the non-secure domain, the dataprocessing apparatus comprising: a device bus; a device coupled to thedevice bus and operable to issue a memory access request pertaining toeither said secure domain or said non-secure domain; a memory coupled tothe device bus and operable to store data required by the device, thememory comprising secure memory for storing secure data and non-securememory for storing non-secure data, the device being operable to issueonto the device bus a memory access request when access to an item ofdata in the memory is required; and partition checking logic coupled tothe device bus and operable whenever the memory access request as issuedby the device pertains to said non-secure domain to detect if the memoryaccess request is seeking to access the secure memory, and upon suchdetection to prevent the access specified by that memory access request.

In accordance with the present invention, a device is coupled with amemory via a device bus, and is operable to issue a memory accessrequest pertaining to either a secure domain or a non-secure domain. Thememory is operable to store data required by the device, and consists ofsecure memory for storing secure data and non-secure memory for storingnon-secure data. When the device wishes to access an item of data in thememory, it is arranged to issue onto the device bus a memory accessrequest. In accordance with the present invention, partition checkinglogic is provided which is coupled to the device bus and is operablewhenever the memory access request as issued by the device pertains tosaid non-secure domain to detect if the memory access request is seekingto access the secure memory, and upon such detection to prevent theaccess specified by the memory access request.

Hence, the partition checking logic is arranged to police accesses tothe memory in order to ensure that no accesses to the secure memoryoccur when the memory access request issued by the device pertains tothe non-secure domain.

In one embodiment, the device is operable in a plurality of modes,including at least one non-secure mode being a mode in the non-securedomain and at least one secure mode being a mode in the secure domain.

The partition checking logic will have access to information about thepartitions between the secure memory and the non-secure memory. It willbe appreciated that this partitioning information could be hardwired inembodiments where the physical partition between secure memory andnon-secure memory cannot be altered. However, in preferred embodiments,the partitioning between secure memory and non-secure memory isconfigurable by the device when the device is operating in apredetermined secure mode, and in such embodiments, the partitionchecking logic is managed by the device when operating in thatpredetermined secure mode. Hence, if a rogue application were installedonto the device with the aim of seeking to access secure data, thatapplication will not be able to be run in the secure domain, andaccordingly it cannot alter the partitioning information. Hence, even ifthat application can output a memory access request which is seeking toaccess a location within the secure memory, the partition checking logicwill detect that that application executing in a non-secure mode of thedevice is seeking to access a secure memory location, and will preventthe access taking place.

It will be appreciated that there are a number of different ways inwhich the partition checking logic might receive information from thedevice about which domain the memory access request pertains to.However, in preferred embodiments the memory access request issued bythe device includes a domain signal identifying whether the memoryaccess request pertains to said secure domain or said non-secure domain.

In one embodiment, this domain signal hence identifies whether thedevice is operating in the secure domain or the non-secure domain, andthus the partition checking logic can be triggered to check the memoryaccess request in the event that that domain signal indicates that thedevice is operating in the non-secure domain. In preferred embodiments,the partition checking logic does not perform any partition checkingwhen the device is operating in the secure domain, since in preferredembodiments the device can access both the secure memory and thenon-secure memory when operating in a secure mode.

It will be appreciated that the domain signal can be incorporated withinthe memory access request in a variety of ways. Preferably, the domainsignal is asserted at the hardware level and hence is only assertable byan application which the device itself has verified is able to be run inthe secure domain. Hence it would not be possible for a rogueapplication executing on the device to tamper with the setting of thedomain signal. More particularly, in preferred embodiments, the devicehas a predetermined pin for outputting the domain signal onto the devicebus, and by default the domain signal is set to indicate that the deviceis operating in a non-secure mode. Hence, in one embodiment, only whenthe device is executing secure applications in the secure domain willthe domain signal be set to indicate that the device is operating in thesecure domain, and only when that domain signal is set will thepartition checking logic allow access to secure data in the memory.

It will be appreciated that the partition checking logic can be embodiedin a variety of ways. However, in preferred embodiments the partitionchecking logic is provided within an arbiter coupled to the device busto arbitrate between memory access requests issued on the device bus. Ithas been found to be convenient to associate the partition checkinglogic with the arbiter, the arbiter determining priorities betweenconflicting memory access requests, and the partition checking logicdetermining whether the memory access request granted by the arbiter canin fact be allowed to occur.

In preferred embodiments, in said non-secure domain the device isoperable under the control of a non-secure operating system, and in saidsecure domain the device is operable under the control of a secureoperating system. The secure operating system will typically besignificantly smaller than the non-secure operating system and can beviewed as a secure kernel provided to control certain secure functions.By this approach, the secure domain can be seen as providing a secureworld to enable certain sensitive operations to be carried out in acontrolled environment. Other applications would then remain in thenon-secure domain, which can be considered as a non-secure world.

It will be appreciated that the device can take a variety of forms, andindeed there may be multiple such devices coupled to the bus. In theevent of multiple devices coupled to the bus, each one that can operatein both secure and non-secure modes may independently control thepartition checking logic when that device is operating in a secure mode,in such situations the partition checking logic having access topartitioning information specific to each separate device. However,preferably, one of the devices is responsible for management of thepartition checking logic.

In preferred embodiments, at least one device is a chip incorporating aprocessor, the chip further comprising a memory management unitoperable, when the processor generates the memory access request, toperform one or more predetermined access control functions to controlissuance of the memory access request onto the device bus. One or moreother parts of the data processing apparatus may be provided on the samechip or may be provided off-chip.

It will be appreciated that the memory coupled to the device bus cantake a variety of forms, for example Random Access Memory (RAM), ReadOnly Memory (ROM), a hard disk, registers within certain peripheraldevices, etc. In addition to such memory, it will also be appreciatedthat when the device is a chip incorporating a processor with a systembus associated therewith, there may also be certain memory connected tothe system bus, for example, cache memory, Tightly Coupled Memory (TCM),etc.

Hence, in certain embodiments, the chip further comprises: furthermemory coupled to the processor via a system bus, the further memoryoperable to store data required by the processor, the further memorycomprising secure further memory for storing secure data and non-securefurther memory for storing non-secure data; and further partitionchecking logic coupled to the system bus and operable whenever thememory access request is generated by the processor when operating in anon-secure mode in said non-secure domain to detect if the memory accessrequest is seeking to access either the secure memory or the securefurther memory, and upon such detection to prevent the access specifiedby that memory access request.

Since the partition checking logic coupled to the device bus cannotperform any partition checking function with regard to memory connectedto the system bus, further partition checking logic is provided in suchembodiments to ensure that when the processor is operating in anon-secure mode, it cannot access any part of the secure memory system,whether that be parts of the secure memory coupled to the device bus, orparts of the further memory that contains secure data.

In accordance with one embodiment of the present invention, theprocessor is then operable in a plurality of modes including at leastone non-secure mode which is a mode in the non-secure domain, and atleast one secure mode which is a mode in the secure domain. When in anon-secure mode of operation, the processor is operable under thecontrol of a non-secure operating system, for example a standardpre-existing operating system. However, when in a secure mode ofoperation, the processor is operable under the control of a secureoperating system. The secure operating system is preferably relativelysmall compared with the non-secure operating system, and hence takes theform of a secure kernel for use when executing certain secure functions.By this approach, the secure domain can be seen as providing a secureworld to enable certain sensitive operations to be carried out in acontrolled environment. Other applications would then remain in thenon-secure domain, which can be considered as a non-secure world.

A memory management unit is provided in one embodiment which isoperable, upon receipt of a memory access request issued by theprocessor when the processor wishes to access an item of data in thememory, to perform one or more predetermined access control functions tocontrol issuance of that memory access request to the memory. As anexample, such predetermined access control functions could involvetranslation of virtual addresses to physical addresses, review of accesspermissions rights to ensure that the processor in its current mode ofoperation is entitled to access the data item requested, analysis ofregion attributes, for example to determine whether the data item iscacheable, bufferable, etc, as will be appreciated by those skilled inthe art.

Further, in accordance with this embodiment, the further partitionchecking logic is managed by the secure operating system. Since thefurther partition checking logic is managed by the secure operatingsystem, the set-up of the further partition checking logic cannot bealtered by non-secure applications, thus preventing unauthorised accessto the secure data.

The further partition checking logic will have access to informationabout the partitions between the secure memory and the non-securememory. It will be appreciated that this partitioning information couldbe hardwired in embodiments where the physical partition between securememory and non-secure memory cannot be altered. However, in preferredembodiments, the partitioning between secure memory and non-securememory is configurable by the processor when the processor is operatingin a predetermined secure mode, and in such embodiments, the furtherpartition checking logic is managed by the processor when operating inthat predetermined secure mode. Hence, if a rogue application wereinstalled onto the processor with the aim of seeking to access securedata, that application will not be able to be run in the secure domain,and accordingly it cannot alter the partitioning information. Hence,even if that application can output a memory access request which isseeking to access a location within the secure memory, the furtherpartition checking logic will detect that that application executing ina non-secure mode of the processor is seeking to access a secure memorylocation, and will prevent the access taking place.

It will be appreciated by those skilled in the art that memory accessrequests may specify virtual addresses, or in certain embodiments mayspecify physical addresses, depending on the architecture of the dataprocessing system. However, in preferred embodiments, when the processoris operating in a non-secure mode, memory access requests will specify avirtual address, and the memory management unit is controlled by thenon-secure operating system. In such embodiments, one of the preferredaccess control functions performed by the memory management unitcomprises conversion of the virtual address to a physical address, thefurther partition checking logic being operable to prevent the accessspecified by that memory access request if the physical address to begenerated by the memory management unit is within the secure memory.

Further, in preferred embodiments, when the processor is operating in asecure mode, the memory access request may specify a virtual address, inwhich event the memory management unit is controlled by the secureoperating system and one of said predetermined access control functionsperformed by the memory management unit comprises conversion of thevirtual address to a physical address, the further partition checkinglogic not being used in the at least one secure mode.

In one embodiment, all modes of operation of the processor employvirtual addresses for memory access requests, and the further partitionchecking logic is provided within the memory management unit, and isoperable whenever the processor is operating in a non-secure mode.Hence, irrespective of the mode of operation, the memory management unitis employed to perform the necessary address translation, and any otherrequired access control functions, but the further partition checkinglogic is preferably only used when the processor is operating in anon-secure mode, since typically when the processor is operating in asecure mode, there will be no restrictions on its access to the data inthe memory. However, it will be appreciated that in alternativeembodiments, some degree of partition checking may be provided forcertain secure modes of operation.

In an alternative embodiment of the present invention, there is at leastone particular secure mode of operation in which the memory accessrequest is specified directly by a physical address, and hence in such aparticular secure mode, there is no requirement for any virtual tophysical address translation to be performed. Whilst the approach ofspecifying physical addresses directly is less flexible than the virtualaddress approach, it is inherently more secure since there is no mappingbetween virtual addresses and physical addresses to be performed. Hence,in one particularly preferred embodiment, the secure mode that directlyspecifies physical addresses for memory access requests is the mostsecure mode of operation, in preferred embodiments this mode beingreferred to as a monitor mode of operation, and being responsible formanaging the transition of the data processing apparatus between thenon-secure and the secure domains.

In such preferred embodiments, the data processing apparatus furthercomprises a memory protection unit within which the further partitionchecking logic is provided, the memory protection unit being managed bythe secure operating system, wherein when the processor is operating ina particular secure mode, the memory access request specifies a physicaladdress for a memory location, the memory management unit is not used,and the memory protection unit is operable to perform at least memoryaccess permission processing to verify whether the memory locationspecified by the physical address is accessible in said particularsecure mode. Hence, when the processor is operating in a particularsecure mode, the access is managed solely by a memory protection unitmanaged by the secure operating system.

In preferred embodiments, the memory includes at least one tablecontaining for each of a number of memory regions an associateddescriptor, the memory management unit comprising an internal storageunit for storing access control information derived from the descriptorsand used by the memory management unit to perform the predeterminedaccess control functions for the memory access request, the furtherpartition checking logic being operable, when the processor is operatingin said at least one non-secure mode, to prevent the internal storageunit from storing access control information that would allow access tosaid secure memory.

As will be appreciated by those skilled in the art, such tables ofdescriptors can take a variety of forms, but in preferred embodimentssuch tables are page tables defining for each of a number of pages ofmemory a corresponding descriptor within which is described accesscontrol information relevant to that page of memory. Hence, thedescriptor may for example define a virtual address portion and acorresponding physical address portion for the page, access permissioninformation, such as whether that page is accessible in supervisor mode,user mode, etc, and region attributes such as whether the data containedwithin that page is cacheable, bufferable, etc.

In embodiments where the memory access request specifies a virtualaddress, and hence the descriptors in the table contain at least avirtual address portion and a corresponding physical address portion forthe corresponding memory region, the further partition checking logic isoperable, when the processor is operating in said at least onenon-secure mode, to prevent the internal storage unit from storing asaccess control information the physical address portion if the physicaladdress that would then be produced for the virtual address is withinthe secure memory.

As will be appreciated, in a correctly running system, a non-secureapplication being run by the processor in a non-secure mode willtypically not be aware of the secure memory, and the table referenced bythe processor to convert virtual addresses to physical addresses whenthe processor is operating in such a non-secure mode should notreference memory regions that incorporate any part of the secure memory.However, in instances where the non-secure application is a hackingapplication designed solely to seek access to the secure information, itwill be appreciated that it might be possible to corrupt the descriptorsin the table referenced by the processor when in a non-secure mode, toproduce a mapping which would point to parts of the secure memory.However, since the further partition checking logic is managed in thesecure domain by a secure operating system, it will not be corrupted bysuch activities, and accordingly can detect such situations where thephysical address portion retrieved from a descriptor is such that thephysical address that would then be produced for a particular virtualaddress is within the secure memory. Accordingly, if the table in memoryhas been fraudulently altered, the further partition checking logic willprevent the internal storage unit of the memory management unit fromstoring the altered access control information if an access to securememory would result, and hence will prevent the access from takingplace.

The internal storage unit within the memory management unit may take avariety of forms. However, in preferred embodiments the internal storageunit is a translation lookaside buffer (TLB) operable to store for anumber of virtual address portions the corresponding physical addressportions obtained from corresponding descriptors retrieved from the atleast one table.

In one embodiment, a single TLB will be contained within the memorymanagement unit, and the further partition checking logic will beoperable to ensure that any descriptor retrieved from a table in memorywill not be stored within the TLB if the processor is operating innon-secure mode and the physical address that would be produced based onthe access control information within that descriptor would point to alocation in secure memory. When switching between secure and non-securemodes of operation, the TLB would be flushed to ensure that descriptorsrelevant to secure mode are not available in non-secure mode, and viceversa.

However, in an alternative embodiment, the internal storage unitconsists of both a micro-TLB and main TLB, the main TLB being used tostore descriptors retrieved by the memory management unit from the atleast one table in memory, and access control information beingtransferred from the main TLB to the micro-TLB prior to use of thataccess control information by the memory management unit to perform thepredetermined access control functions for the memory access request. Insuch embodiments, the further partition checking logic is operable, whenthe processor is operating in said at least one non-secure mode, toprevent the transfer of any access control information from the main TLBto the micro-TLB that would allow access to said secure memory.

Hence, in such embodiments, descriptors can be copied into the main TLB,but the further partition checking logic is operable to police theinterface between the main TLB and the micro-TLB when the processor isoperating in non-secure mode, to ensure that no access controlinformation is passed to the micro-TLB that would allow access to thesecure memory.

In preferred embodiments, more than one table in memory is provided, anddifferent tables are used dependent on the mode of operation, thisthereby allowing different access control information to be defined fordifferent modes of operation. More particularly, in preferredembodiments, the at least one table comprises a non-secure table for usewhen the processor is operating in said at least one non-secure mode andcontaining descriptors generated by the non-secure operating system, inthe event that a descriptor within that non-secure table is associatedwith a memory region that at least partially incorporates a part of thesecure memory, the further partition checking logic being operable, whenthe processor is operating in non-secure mode, to prevent the internalstorage unit from storing as access control information the physicaladdress portion specified by that descriptor if the physical addressthat would then be produced for the virtual address is within the securememory.

Additionally, in such preferred embodiments where virtual to physicaladdress translation occurs in at least one secure mode, the at least onetable further comprises a secure table within the secure memory thatcontains descriptors generated by the secure operating system, the mainTLB having a flag associated with each descriptor stored within the mainTLB to identify whether that descriptor is from said non-secure table orsaid secure table.

By incorporating a flag within the main TLB to indicate whether acorresponding descriptor is from the non-secure table or the securetable, there is no need to flush the main TLB when the operation of theprocessor moves between the secure domain and the non-secure domain, orvice versa. When access control information is to be passed to themicro-TLB from a descriptor in the main TLB, only those descriptors thatare appropriate given the current domain in which the processor isoperating will be considered. Accordingly, if the processor is operatingin a non-secure mode, and hence is in the non-secure domain, then onlythose descriptors in the main TLB whose associated flag indicates arefrom the non-secure table will be reviewed as candidate descriptors fromwhich to obtain the access control information to be passed to themicro-TLB.

In such preferred embodiments, the micro-TLB is preferably flushedwhenever the mode of operation of the processor changes between a securemode and a non-secure mode, in the secure mode access controlinformation only being transferred to the micro-TLB from a descriptor inthe main TLB that said associated flag indicates is from the securetable, and in the non-secure mode access control information only beingtransferred to the micro-TLB from a descriptor in the main TLB that saidassociated flag indicates is from the non-secure table. The micro-TLB isgenerally significantly smaller than the main TLB, and hence theflushing of the micro-TLB whenever the processor moves between thesecure domain and the non-secure domain does not have a significantimpact on performance. Since the predetermined access control functionsperformed by the memory management unit are only performed having regardto access control information in the micro-TLB, the above describedmechanism ensures that for any particular mode of operation of theprocessor, the micro-TLB will only contain access control informationderived from descriptors obtained from the appropriate memory table,i.e. from a non-secure table when the processor is operating in anon-secure mode, or a from a secure table when the processor isoperating in a secure mode.

In embodiments where all secure modes of operation specify physicaladdresses directly within their memory access requests, it will beappreciated that there will not be a need for such a flag within themain TLB, as the main TLB will only store non-secure descriptors.

It will be appreciated that the memory can take a variety of forms, andcan be located in a variety of places within the data processingapparatus. For example, the memory may consist of one or more of avariety of elements, for example Random Access Memory (RAM), Read OnlyMemory (ROM), a hard disk drive, a Tightly Coupled Memory (TCM), one ormore caches, a variety of registers provided within peripheral devices,etc, and the address range of the memory will be such as to allow thesevarious elements of the memory to be separately addressed. Accordingly,whilst in some embodiments at least part of the memory may be coupled toa device bus as described earlier, other parts of the memory may becoupled to a different bus.

For example, in one embodiment, the processor is coupled to a systembus, and a part of the memory comprises a tightly coupled memory (TCM)connected to the system bus. As will be appreciated by those skilled inthe art, such a TCM is often used to store data used frequently by theprocessor, since access to the TCM via the system bus is significantlyfaster than access to external memory, for example memory on the devicebus. Often, the physical address range for the TCM is definable within acontrol register of the data processing apparatus. However, this cangive rise to certain security issues, as can be illustrated by thefollowing example.

When the processor is operating in a non-secure mode, the non-secureoperating system may be allowed to program that control register inorder to define as the TCM memory a physical address space whichoverlaps with part of the secure memory. When the processor subsequentlyoperates in the secure domain, the secure operating system may causesecure data to be stored in this secure memory part, in which event thatsecure data will typically be stored in the TCM rather than the externalmemory, since the TCM will typically have a higher priority. However, ifthe non-secure operating system subsequently changed again the settingof the physical address range for the TCM so that the previous securememory part is now mapped in a non-secure physical area of memory, itwill be appreciated that the non-secure operating system can then accessthe secure data, since the further partition checking logic will see thearea as non-secure and won't assert an abort. Hence, to summarise, ifthe TCM is configured to act as normal local RAM and not as SmartCache,it may be possible for the non-secure operating system to read secureworld data if it can move the TCM base register to non-secure physicaladdress.

In order to avoid this scenario, the data processing apparatus ofpreferred embodiments is preferably provided with a control flag whichis settable by the processor when operating in a privileged secure modeto indicate whether the tightly coupled memory is controllable by theprocessor only when executing in a privileged secure mode or iscontrollable by the processor when executing in the at least onenon-secure mode. The control flag is set by the secure operating system,and in effect defines whether the TCM is controlled by the secureprivileged modes or by non-secure modes. Hence, one configuration thatcan be defined is that the TCM is only controlled when the processor isoperating in a privileged secure mode of operation. In such embodiments,any non-secure access attempted to the TCM control registers will causean undefined instruction exception to be entered.

In an alternative configuration, the TCM can be controlled by theprocessor when operating in a non-secure mode of operation. In suchembodiments, the TCM is only used by the non-secure applications. Nosecure data can be stored to or loaded from the TCM. Hence, when asecure access is performed, no look-up is performed within the TCM tosee if the address matched the TCM address range. In one preferredembodiment, the TCM is configured so that it is only used by thenon-secure operating system, this having the benefit that the non-secureoperating system does not need to be changed, since operation proceedsin the normal manner with the TCM available to the non-secure operatingsystem.

Viewed from a second aspect, the present invention provides a method ofcontrolling access to a memory in a data processing apparatus having asecure domain and a non-secure domain, in the secure domain the dataprocessing apparatus having access to secure data which is notaccessible in the non-secure domain, the data processing apparatuscomprising a device bus, a device coupled to the device bus and operableto issue a memory access request pertaining to either said secure domainor said non-secure domain, and a memory coupled to the device bus andoperable to store data required by the device, the memory comprisingsecure memory for storing secure data and non-secure memory for storingnon-secure data, the method comprising the steps of: (i) issuing fromthe device onto the device bus a memory access request when access to anitem of data in the memory is required; and (ii) whenever the memoryaccess request as issued by the device pertains to said non-securedomain, employing partition checking logic coupled to the device bus todetect if the memory access request is seeking to access the securememory; and (iii) upon such detection, preventing the access specifiedby that memory access request.

Viewed from another aspect the present invention provides a dataprocessing apparatus, comprising: a device bus; a device coupled to thedevice bus and operable in a plurality of modes and either a securedomain or a non-secure domain, including at least one non-secure modebeing a mode in the non-secure domain and at least one secure mode beinga mode in the secure domain; a memory coupled to the device bus andoperable to store data required by the device, the memory comprisingsecure memory for storing secure data and non-secure memory for storingnon-secure data, the device being operable to issue onto the device busa memory access request when access to an item of data in the memory isrequired; and partition checking logic coupled to the device bus andoperable whenever the memory access request is issued by the device whenoperating in said at least one non-secure mode to detect if the memoryaccess request is seeking to access the secure memory, and upon suchdetection to prevent the access specified by that memory access request.

Viewed from another aspect, the present invention provides a method ofcontrolling access to a memory in a data processing apparatus, the dataprocessing apparatus comprising a device bus, a device coupled to thedevice bus and operable in a plurality of modes and either a securedomain or a non-secure domain, including at least one non-secure modebeing a mode in the non-secure domain and at least one secure mode beinga mode in the secure domain, and a memory coupled to the device bus andoperable to store data required by the device, the memory comprisingsecure memory for storing secure data and non-secure memory for storingnon-secure data, the method comprising the steps of: (i) issuing fromthe device onto the device bus a memory access request when access to anitem of data in the memory is required; and (ii) whenever the memoryaccess request is issued by the device when operating in said at leastone non-secure mode, employing partition checking logic coupled to thedevice bus to detect if the memory access request is seeking to accessthe secure memory; and (iii) upon such detection, preventing the accessspecified by that memory access request.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be described further, by way of example only,with reference to preferred embodiments thereof as illustrated in theaccompanying drawings, in which:

FIG. 1 is a block diagram schematically illustrating a data processingapparatus in accordance with preferred embodiments of the presentinvention;

FIG. 2 schematically illustrates different programs operating in anon-secure domain and a secure domain;

FIG. 3 schematically illustrates a matrix of processing modes associatedwith different security domains;

FIGS. 4 and 5 schematically illustrate different relationships betweenprocessing modes and security domains;

FIG. 6 illustrates one programmer's model of a register bank of aprocessor depending upon the processing mode;

FIG. 7 illustrates an example of providing separate register banks for asecure domain and a non-secure domain;

FIG. 8 schematically illustrates a plurality of processing modes withswitches between security domains being made via a separate monitormode;

FIG. 9 schematically illustrates a scenario for security domainswitching using a mode switching software interrupt instruction;

FIG. 10 schematically illustrates one example of how non-secureinterrupt requests and secure interrupt requests may be processed by thesystem;

FIGS. 11A and 11B schematically illustrate an example of non-secureinterrupt request processing and an example of secure interrupt requestprocessing in accordance with FIG. 10;

FIG. 12 illustrates an alternative scheme for the handling of non-secureinterrupt request signals and secure interrupt request signals comparedto that illustrated in FIG. 10;

FIGS. 13A and 13B illustrate example scenarios for dealing with anon-secure interrupt request and a secure interrupt request inaccordance with the scheme illustrated in FIG. 12;

FIG. 14 is an example of a vector interrupt table;

FIG. 15 schematically illustrates multiple vector interrupt tablesassociated with different security domains;

FIG. 16 schematically illustrates an exception control register;

FIG. 17 is a flow diagram illustrating how an instruction attempting tochange a processing status register in a manner that alters the securitydomain setting can generate a separate mode change exception which inturn triggers entry into the monitor mode and running of the monitorprogram;

FIG. 18 schematically shows a thread of control of a processor operatingin a plurality of modes, wherein a task in monitor mode is interrupted;

FIG. 19 schematically shows a different thread of control of a processoroperating in a plurality of modes;

FIG. 20 schematically shows a further thread of control of a processoroperating in a plurality of modes, wherein interrupts are enabled inmonitor mode;

FIGS. 21 to 23 illustrate a view of different processing modes andscenario for switching between secure and non-secure domains inaccordance with another example embodiment(s);

FIG. 24 schematically illustrates the concept of adding a secureprocessing option to a traditional ARM core;

FIG. 25 schematically illustrates a processor having a secure andnon-secure domain and reset;

FIG. 26 schematically illustrates the delivering of processing requeststo a suspended operating system using a software faked interrupt;

FIG. 27 schematically illustrates another example of the delivering of aprocessing request to a suspended operating system via a software fakedinterrupt;

FIG. 28 is a flow diagram schematically illustrating processingperformed upon receipt of a software faked interrupt of the typegenerated in FIGS. 26 and 27;

FIGS. 29 and 30 schematically illustrate task following by a secureoperating system to track possible task switches made by a non-secureoperating system;

FIG. 31 is a flow diagram schematically illustrating the processingperformed upon receipt of a call at the secure operating system of FIGS.29 and 30;

FIG. 32 is a diagram schematically illustrating the problem of interruptpriority inversion which may occur in a system having multiple operatingsystems where different interrupts may be handled by different operatingsystems;

FIG. 33 is a diagram schematically illustrating the use of stubinterrupt handlers to avoid the problem illustrated in FIG. 32; and

FIG. 34 schematically illustrates how different types and priorities ofinterrupts may be handled depending upon whether or not they can beinterrupted by an interrupt which will be serviced using a differentoperating system;

FIG. 35 illustrates how the processor configuration data is overriddenwith monitor mode specific processor configuration data when theprocessor is operating in monitor mode;

FIG. 36 is a flow diagram illustrating how the processor configurationdata is switched when transitioning between the secure domain and thenon-secure domain in accordance with one embodiment to the presentinvention;

FIG. 37 is a diagram illustrating the memory management logic used inone embodiment of the present invention to control access to memory;

FIG. 38 is a block diagram illustrating the memory management logic of asecond embodiment of the present invention used to control access tomemory;

FIG. 39 is a flow diagram illustrating the process performed in oneembodiment of the present invention within the memory management logicto process a memory access request that specifies a virtual address;

FIG. 40 is a flow diagram illustrating the process performed in oneembodiment of the present invention within the memory management logicto process a memory access request that specifies a physical address;

FIG. 41 schematically illustrates how the partition checker of preferredembodiments is operable to prevent access to a physical address withinsecure memory when the device issuing the memory access request isoperating in a non-secure mode;

FIG. 42 is a diagram illustrating the use of both a non-secure pagetable and a secure page table in preferred embodiments of the presentinvention;

FIG. 43 is a diagram illustrating two forms of flag used within the maintranslation lookaside buffer (TLB) of preferred embodiments;

FIG. 44 illustrates how memory may be partitioned after a boot stage inone embodiment of the present invention;

FIG. 45 illustrates the mapping of the non-secure memory by the memorymanagement unit following the performance of the boot partition inaccordance with an embodiment of the present invention;

FIG. 46 illustrates how the rights of a part of memory can be altered toallow a secure application to share memory with a non-secure applicationin accordance with an embodiment of the present invention;

FIG. 47 illustrates how devices may be connected to the external bus ofthe data processing apparatus in accordance with one embodiment of thepresent invention;

FIG. 48 is a block diagram illustrating how devices may be coupled tothe external bus in accordance with the second embodiment of the presentinvention;

FIG. 49 illustrates the arrangement of physical memory in embodimentswhere a single set of page tables is used;

FIG. 50A illustrates an arrangement in which two MMUs are used toperform virtual to physical address translation via an intermediateaddress;

FIG. 50B illustrates an alternative arrangement in which two MMUs areused to perform virtual to physical address translation via anintermediate address;

FIG. 51 illustrates, by way of example, the correspondence betweenphysical address space and intermediate address space for both thesecure domain and the non-secure domain;

FIG. 52 illustrates the swapping of memory regions between secure andnon-secure domains through manipulation of the page tables associatedwith the second MMU;

FIG. 53 is an embodiment illustrating an implementation using a singleMMU, and where a miss in the main TLB causes an exception to be invokedto determine the virtual to physical address translation;

FIG. 54 is a flow diagram illustrating the process performed by theprocessor core in order to action an exception issued upon occurrence ofa miss in the main TLB of the MMU of FIG. 53;

FIG. 55 is a block diagram illustrating components provided within adata processing apparatus of one embodiment, in which the cache isprovided with information as to whether the data stored in individualcache lines is secure data or non-secure data;

FIG. 56 illustrates the construction of the memory management unitillustrated in FIG. 55;

FIG. 57 is a flow diagram illustrating the processing performed withinthe data processing apparatus of FIG. 55 to process a non-secure memoryaccess request;

FIG. 58 is a flow diagram illustrating the processing performed withinthe data processing apparatus of FIG. 55 in order to process a securememory access request;

FIG. 59 schematically shows possible granularity of monitoring functionsfor different modes and applications running on a processor;

FIG. 60 shows possible ways of initiating different monitoringfunctions;

FIG. 61 shows a table of control values for controlling availability ofdifferent monitoring functions;

FIG. 62 shows a positive-edge triggered FLIP-FLOP view;

FIG. 63 a scan chain cell;

FIG. 64 shows a plurality of scan chain cells in a scan chain;

FIG. 65 shows a debug TAP controller;

FIG. 66A shows a debug TAP controller with a JADI input;

FIG. 66B shows a scan chain cell with a bypass register;

FIG. 67 schematically illustrates a processor comprising a core, scanchains and a Debug Status and Control Register;

FIG. 68 schematically illustrates the factors controlling debug or traceinitialisation;

FIGS. 69A and 69B show a summary of debug granularity;

FIG. 70 schematically illustrates the granularity of debug while it isrunning; and

FIG. 71A and 71B show monitor debug when debug is enabled in secureworld and when it is not enabled respectively.

DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 is a block diagram illustrating a data processing apparatus inaccordance with preferred embodiments of the present invention. The dataprocessing apparatus incorporates a processor core 10 within which isprovided an arithmetic logic unit (ALU) 16 arranged to execute sequencesof instructions. Data required by the ALU 16 is stored within a registerbank 14. The core 10 is provided with various monitoring functions toenable diagnostic data to be captured indicative of the activities ofthe processor core. As an example, an Embedded Trace Module (ETM) 22 isprovided for producing a real time trace of certain activities of theprocessor core in dependence on the contents of certain controlregisters 26 within the ETM 22 defining which activities are to betraced. The trace signals are typically output to a trace buffer fromwhere they can subsequently be analysed. A vectored interrupt controller21 is provided for managing the servicing of a plurality of interruptswhich may be raised by various peripherals (not illustrated).

Further, as shown in FIG. 1, another monitoring functionality that canbe provided within the core 10 is a debug function, a debuggingapplication external to the data processing apparatus being able tocommunicate with the core 10 via a Joint Test Access Group (JTAG)controller 18 which is coupled to one or more scan chains 12.Information about the status of various parts of the processor core 10can be output via the scan chains 12 and the JTAG controller 18 to theexternal debugging application. An In Circuit Emulator (ICE) 20 is usedto store within registers 24 conditions identifying when the debugfunctions should be started and stopped, and hence for example will beused to store breakpoints, watchpoints, etc.

The core 10 is coupled to a system bus 40 via memory management logic 30which is arranged to manage memory access requests issued by the core 10for access to locations in memory of the data processing apparatus.Certain parts of the memory may be embodied by memory units connecteddirectly to the system bus 40, for example the Tightly Coupled Memory(TCM) 36, and the cache 38 illustrated in FIG. 1. Additional devices mayalso be provided for accessing such memory, for example a Direct MemoryAccess (DMA) controller 32. Typically, various control registers 34 willbe provided for defining certain control parameters of the variouselements of the chip, these control registers also being referred toherein as coprocessor 15 (CP15) registers.

The chip containing the core 10 may be coupled to an external bus 70(for example a bus operating in accordance with the “AdvancedMicrocontroller Bus Architecture” (AMBA) specification developed by ARMLimited) via an external bus interface 42, and various devices may beconnected to the external bus 70. These devices may include masterdevices such as a digital signal processor (DSP) 50, or a direct memoryaccess (DMA) controller 52, as well as various slave devices such as theboot ROM 44, the screen driver 46, the external memory 56, aninput/output (I/O) interface 60 or a key storage unit 64. These variousslave devices illustrated in FIG. 1 can all be considered asincorporating parts of the overall memory of the data processingapparatus. For example, the boot ROM 44 will form part of theaddressable memory of the data processing apparatus, as will theexternal memory 56. Further, devices such as the screen driver 46, I/Ointerface 60 and key storage unit 64 will all include internal storageelements such as registers or buffers 48, 62, 66, respectively, whichare all independently addressable as part of the overall memory of thedata processing apparatus. As will be discussed in more detail later, apart of the memory, e.g. part of external memory 56, will be used tostore one or more page tables 58 defining information relevant tocontrol of memory accesses.

As will be appreciated by those skilled in the art, the external bus 70will typically be provided with arbiter and decoder logic 54, thearbiter being used to arbitrate between multiple memory access requestsissued by multiple master devices, for example the core 10, the DMA 32,the DSP 50, the DMA 52, etc, whilst the decoder will be used todetermine which slave device on the external bus should handle anyparticular memory access request.

Whilst in some embodiments, the external bus may be provided externallyto the chip containing the core 10, in other embodiments the externalbus will be provided on-chip with the core 10. This has the benefit thatsecure data on the external bus is easier to keep secure than when theexternal bus is off-chip; when the external bus is off-chip, dataencryption techniques may be used to increase the security of securedata.

FIG. 2 schematically illustrates various programs running on aprocessing system having a secure domain and a non-secure domain. Thesystem is provided with a monitor program 72 which executes at leastpartially in a monitor mode. In this example embodiment security statusflag is write accessible only within the monitor mode and may be writtenby the monitor program 72. The monitor program 72 is responsible formanaging all changes between the secure domain and the non-secure domainin either direction. From a view external to the core the monitor modeis always secure and the monitor program is in secure memory.

Within the non-secure domain there is provided a non-secure operatingsystem 74 and a plurality of non-secure application programs 76, 78which execute in co-operation with the non-secure operating system 74.In the secure domain, a secure kernel program 80 is provided. The securekernel program 80 can be considered to form a secure operating system.Typically such a secure kernel program 80 will be designed to provideonly those functions which are essential to processing activities whichmust be provided in the secure domain such that the secure kernel 80 canbe as small and simple as possible since this will tend to make it moresecure. A plurality of secure applications 82, 84 are illustrated asexecuting in combination with the secure kernel 80.

FIG. 3 illustrates a matrix of processing modes associated withdifferent security domains. In this particular example the processingmodes are symmetrical with respect to the security domain andaccordingly Mode 1 and Mode 2 exist in both secure and non-secure forms.

The monitor mode has the highest level of security access in the systemand in this example embodiment is the only mode entitled to switch thesystem between the non-secure domain and the secure domain in eitherdirection. Thus, all domain switches take place via a switch to themonitor mode and the execution of the monitor program 72 within themonitor mode.

FIG. 4 schematically illustrates another set of non-secure domainprocessing modes 1, 2, 3, 4 and secure domain processing modes a, b, c.In contrast to the symmetric arrangement of FIG. 3, FIG. 4 shows thatsome of the processing modes may not be present in one or other of thesecurity domains. The monitor mode 86 is again illustrated as straddlingthe non-secure domain and the secure domain. The monitor mode 86 can beconsidered a secure processing mode, since the secure status flag may bechanged in this mode and monitor program 72 in the monitor mode has theability to itself set the security status flag it effectively providesthe ultimate level of security within the system as a whole.

FIG. 5 schematically illustrates another arrangement of processing modeswith respect to security domains. In this arrangement both secure andnon-secure domains are identified as well as a further domain. Thisfurther domain may be such that it is isolated from other parts of asystem in a way that it does not need to interact with either of thesecure domain or non-secure domain illustrated and as such the issue ofto which of these it belongs to is not relevant.

As will be appreciated a processing system, such as a microprocessor isnormally provided with a register bank 88 in which operand values may bestored. FIG. 6 illustrates a programmer's model view of an exampleregister bank with dedicated registers being provided for certain of theregister numbers in certain of the processing modes. More particularly,the example of FIG. 6 is an extension of the known ARM register bank(e.g. as provided in ARM7 processors of ARM Limited, Cambridge, England)which is provided with a dedicated saved program status register, adedicated stack pointer register and a dedicated link register R14 foreach processing mode, but in this case extended by the provision of amonitor mode. As illustrated in FIG. 6, the fast interrupt mode hasadditional dedicated registers provided such that upon entry of the fastinterrupt mode there is no need to save and then restore registercontents from other modes. The monitor mode may in alternativeembodiments also be provided with dedicated further registers in asimilar manner to the fast interrupt mode so as to speed up processingof a security domain switch and reduce system latency associated withsuch switches.

FIG. 7 schematically illustrates another embodiment in which theregister bank 88 is provided in the form of two complete and separateregister banks that are respectively used in the secure domain and thenon-secure domain. This is one way in which secure data stored withinregisters operable in the secure domain can be prevented from becomingaccessible when a switch is made to the non-secure domain. However, thisarrangement hinders the possibility of passing data from the non-securedomain to the secure domain as may be permitted and desirable by usingthe fast and efficient mechanism of placing it in a register which isaccessible in both the non-secure domain and the secure domain.

An important advantage of having secure register bank is to avoid theneed for flushing the contents of registers before switching from oneworld to the other. If latency is not a critical issue, a simplerhardware system with no duplicated registers for the secure domain worldmay be used, e.g. FIG. 6. The monitor mode is responsible switching fromone domain to the other. Restoring context, saving previous context, aswell as flushing registers is performed by a monitor program at leastpartially executing in monitor mode. The system behaves thus like avirtualisation model. This type of embodiment is discussed furtherbelow. Reference should be made to, for example, the programmer's modelof the ARM7 upon which the security features described herein build.

Processor Modes

Instead of duplicating modes in secure world, the same modes supportboth secure and non-secure domains (see FIG. 8). Monitor mode is awareof the current status of the core, either secure or non-secure (e.g. asread from an S bit stored is a coprocessor configuration register).

In the FIG. 8, whenever an SMI (Software Monitor Interrupt instruction)occurs, the core enters monitor mode to switch properly from one worldto the other.

With reference to FIG. 9 in which SMIs are permitted from user mode:

-   1. The scheduler launches thread 1-   2. Thread 1 needs to perform a secure function=>SMI secure call, the    core enters monitor mode. Under hardware control the current PC and    CPSR (current processor status register) are stored in R14_mon and    SPSR_mon (saved processor status register for the monitor mode) and    IRQ/FIQ interrupts are disabled.-   3. The monitor program does the following tasks:    -   The S bit is set (the secure status flag).    -   Saves at least R14_mon and SPSR_mon in a stack so that        non-secure context cannot be lost if an exception occurs whilst        the secure application is running.    -   Checks there is a new thread to launch: secure thread 1. A        mechanism (via thread ID table in some example embodiments)        indicates that thread 1 is active in the secure world.    -   IRQ/FIQ interrupts are re-enabled. A secure application can then        start in secure user mode.-   4. Secure thread 1 runs until it finishes, then branches (SMI) onto    the ‘return from secure’ function of the monitor program mode    (IRQ/FIQ interrupts are then disabled when the core enters monitor    mode)-   5. The ‘return from secure’ function does the following tasks:    -   indicates that secure thread 1 is finished (e.g., in the case of        a thread ID table, remove thread 1 from the table).    -   Restore from stack non-secure context and flush required        registers, so that no secure data can be read once return has        been made to the non-secure domain.    -   Then branches back to the non-secure domain with a SUBS        instruction (this restores the program counter to the correct        point and updates the status flags), restoring the PC (from        restored R14_mon) and CPSR (from SPSR_mon). So, the return point        in the non-secure domain is the instruction following the        previously executed SMI in thread 1.-   6. Thread 1 executes until the end, then gives the hand back to the    scheduler.

Some of the above functionality may be split between the monitor programand the secure operating system depending upon the particularembodiment.

In other embodiments it may be desired not to allow SMIs to occur inuser modes.

Secure World Entry

Reset

When a hardware reset occurs, the MMU is disabled and the ARM core(processor) branches to secure supervisor mode with the S bit set. Oncethe secure boot is terminated an SMI to go to monitor mode may beexecuted and the monitor can switch to the OS in non-secure world(non-secure svc mode) if desired. If it is desired to use a legacy OSthis can simply boot in secure supervisor mode and ignore the securestate.

SMI Instruction

This instruction (a mode switching software interrupt instruction) canbe called from any non-secure modes in the non-secure domain (aspreviously mentioned it may be desired to restrict SMIs to privilegedmodes), but the target entry point determined by the associated vectoris always fixed and within monitor mode. Its up to the SMI handler toranch to the proper secure function that must be run (e.g. controlled byan operand passed with the instruction).

Passing parameters from non-secure world to secure world can beperformed sing the shared registers of the register bank within a FIG. 6type register bank.

When a SMI occurs in non-secure world, the ARM core may do the followingactions in hardware:

Branch to SMI vector (in secure memory access is allowed since you willnow be in monitor mode) into monitor mode

-   -   Save PC into R14_mon and CPSR into SPSR_mon    -   Set the S bit using the monitor program    -   Start to execute secure exception handler in monitor mode        (restore/save context in case of multi-threads)    -   Branch to secure user mode (or another mode, like svc mode) to        execute the appropriate function    -   IRQ and FIQ are disabled while the core is in monitor mode        (latency is increased)

Secure World Exit

There are two possibilities to exit secure world:

-   -   The secure function is finished and we return into previous        non-secure mode that had called this function.    -   The secure function is interrupted by a non-secure exception        (e.g. IRQ/FIQ/SMI).

Normal End of Secure Function

The secure function terminates normally and we need to resume anapplication in the non-secure world at the instruction just after theSMI. In the secure user mode, a ‘SMI’ instruction is performed to returnto monitor mode with the appropriate parameters corresponding to a‘return from secure world’ routine. At this stage, the registers areflushed to avoid leakage of data between non-secure and secure worlds,then non-secure context general purpose registers are restored andnon-secure banked registers are updated with the value they had innon-secure world. R14_mon and SPSR_mon thus get the appropriate valuesto resume the non-secure application after the SMI, by executing a ‘MOVSPC, R14’ instruction.

Exit of Secure Function Due to a Non-Secure Exception

In this case, the secure function is not finished and the secure contextmust be saved before going into the non-secure exception handler,whatever the interrupts are that need to be handled.

Secure Interrupts

There are several possibilities for secure interrupts.

Two possible solutions are proposed which depend on:

-   -   What kind of interrupt it is (secure or non-secure)    -   What mode the core is in when the IRQ occurs (either in secure        or in non-secure world)

Solution One

In this solution, two distinct pins are required to support secure andnon-secure interrupts.

While in Non Secure world, if

-   -   an IRQ occurs, the core goes to IRQ mode to handle this        interrupt as in ARM cores such as the ARM7    -   a SIRQ occurs, the core goes to monitor mode to save non-secure        context and then to a secure IRQ handler to deal with the secure        interrupt.

While in Secure world, if

-   -   an SIRQ occurs, the core goes to the secure IRQ handler. The        core does not leave the secure world    -   an IRQ occurs, the core goes to monitor mode where secure        context is saved, then to a non-secure IRQ handler to deal with        this non-secure interrupt.

In other words, when an interrupt that does not belong to the currentworld occurs, the core goes directly to monitor mode, otherwise it staysin the current world (see FIG. 10).

IRO Occurring in Secure World

See FIG. 11A:

-   1. The scheduler launches thread 1.-   2. Thread 1 needs to perform a secure function=>SMI secure call, the    core enters monitor mode. Current PC and CPSR are stored in R14_mon    and SPSR_mon, IRQ/FIQ are disabled.-   3. The monitor handler (program) does the following tasks:    -   The S bit is set.    -   Saves at least R14_mon and SPSR_mon in a stack (and possibly        other registers are also pushed) so that non-secure context        cannot be lost if an exception occurs whilst the secure        application is running.    -   Checks there is a new thread to launch: secure thread 1. A        mechanism (via thread ID table) indicates that thread 1 is        active in the secure world.    -   Secure application can then start in the secure user mode.        IRQ/FIQ are then re-enabled.-   4. An IRQ occurs while secure thread 1 is running. The core jumps    directly to monitor mode (specific vector) and stores current PC in    R14_mon and CPSR in SPSR_mon in monitor mode, (IRQ/FIQ are then    disabled).-   5. Secure context must be saved, previous non-secure context is    restored. The monitor handler may be to IRQ mode to update    R14_irq/SPSR_irq with appropriate values and then passes control to    a non-secure IRQ handler.-   6. The IRQ handler services the IRQ, then gives control back to    thread 1 in the non-secure world. By restoring SPRS_irq and R14_irq    into the CPSR and PC, thread 1 is now pointing onto the SMI    instruction that has been interrupted.-   7. The SMI instruction is re-executed (same instruction as 2).-   8. The monitor handler sees this thread has previously been    interrupted, and restores the thread 1 context. It then branches to    secure thread 1 in user mode, pointing onto the instruction that has    been interrupted.-   9. Secure thread 1 runs until it finishes, then branches onto the    ‘return from secure’ function in monitor mode (dedicated SMI).-   10. The ‘return from secure’ function does the following tasks:    -   indicates that secure thread 1 is finished (i.e., in the case of        a thread ID table, remove thread 1 from the table).    -   restore from stack non-secure context and flush required        registers, so that no secure data can be read once a return is        made to non-secure world.    -   branches back to the non-secure world with a SUBS instruction,        restoring the PC (from restored R14_mon) and CPSR (from        SPSR_mon). So, the return point in the non-secure world should        be the instruction following the previously executed SMI in        thread 1.-   11. Thread 1 executes until the end, then gives control back to the    scheduler.

SIRQ Occurring in Non-Secure World

See FIG. 11B:

-   1. The schedule launches thread 1-   2. A SIRQ occurs while secure thread 1 is running. The core jumps    directly to monitor mode (specific vector) and stores current PC in    R14_mon and CPSR in SPSR_mon in monitor mode, IRQ/FIQ are then    disabled.-   3. Non-Secure context must be saved, then the core goes to a secure    IRQ handler.-   4. The IRQ handler services the SIRQ, then gives control back to the    monitor mode handler using an SMI with appropriate parameters.-   5. The monitor handler restores non-secure context so that a SUBS    instruction makes the core return to the non-secure world and    resumes the interrupted thread 1.-   6. Thread 1 executes until the end, then gives the hand back to the    scheduler.

The mechanism of FIG. 11A has the advantage of providing a deterministicway to enter secure world. However, there are some problems associatedwith interrupt priority: e.g. while a SIRQ is running in secureinterrupt handler, a non-secure IRQ with higher priority may occur. Oncethe non-secure IRQ is finished, there is a need to recreate the SIRQevent so that the core can resume the secure interrupt.

Solution Two

In this mechanism (See FIG. 12) two distinct pins, or only one, maysupport secure and non-secure interrupts. Having two pins reducesinterrupt latency.

While in Non Secure world, if

-   -   an IRQ occurs, the core goes to IRQ mode to handle this        interrupt like in ARM7 systems    -   a SIRQ occurs, the core goes to an IRQ handler where an SMI        instruction will make the core branch to monitor mode to save        non-secure context and then to a secure IRQ handler to deal with        the secure interrupt.

While in a Secure world, if

-   -   a SIRQ occurs, the core goes to the secure IRQ handler. The core        does not leave the secure world    -   an IRQ occurs, the core goes to the secure IRQ handler where an        SMI instruction will make the core branch to monitor mode (where        secure context is saved), then to a non-secure IRQ handler to        deal with this non-secure interrupt.

IRO Occurring In Secure World

See FIG. 13A:

-   1. The schedule launches thread 1.-   2. Thread 1 needs to perform a secure function=>SMI secure call, the    core enters monitor mode. Current PC and CPSR are stored in R14_mon    and SPSR_mon, IRQ/FIQ are disabled.-   3. The monitor handler does the following tasks:    -   The S bit is set.    -   Saves at least R14_mon and SPSR_mon in a stack (eventually other        registers) so that non-secure context cannot be lost if an        exception occurs whilst the secure application is running.    -   Checks there is a new thread to launch: secure thread 1. A        mechanism (via thread ID table) indicates that thread 1 is        active in the secure world.    -   Secure application can then start in the secure user mode.        IRQ/FIQ are re-enabled.-   4. An IRQ occurs while secure thread 1 is running. The core jumps    directly to secure IRQ mode.-   5. The core stores current PC in R14_irq and CPSR in SPSR₁₃irq. The    IRQ handler detects this is a non-secure interrupt and performs a    SMI to enter monitor mode with appropriate parameters.-   6. Secure context must be saved, previous non-secure context is    restored. The monitor handler knows where the SMI came from by    reading the CPSR. It can also go to IRQ mode to read    R14_irq/SPSR_irq to save properly secure context. It can also save    in these same registers the non-secure context that must be restored    once the IRQ routine will be finished.-   7. The IRQ handler services the IRQ, then gives control back to    thread 1 in the non-secure world. By restoring SPRS_irq and R14_irq    into the CPSR and PC, the core is now pointing onto the SMI    instruction that has been interrupted.-   8. The SMI instruction is re-executed (same instruction as 2).-   9. The monitor handler sees this thread has previously been    interrupted, and restores the thread 1 context. It then branches to    secure thread 1 in user mode, pointing to the instruction that has    been interrupted.-   10. Secure thread 1 runs until it finishes, then branches onto the    ‘return from secure’; function in monitor mode (dedicated SMI).-   11. The ‘return from secure’ function does the following tasks:    -   indicates that secure thread 1 is finished (i.e., in the case of        a thread ID table, remove thread 1 from the table).    -   restores from stack non-secure context and flushes required        registers, so that no secure information can be read once we        return in non-secure world.    -   branches back to the non-secure world with a SUBS instruction,        restoring the PC (from restored R14_mon) and CPSR (from        SPSR_mon). The return point in the non-secure world should be        the instruction following the previously executed SMI in thread        1.-   12. Thread 1 executes until the end, then gives the hand back to the    scheduler.

SIRQ Occurring in Non-Secure World

See FIG. 13B:

-   1. The schedule launches thread 1.-   2. A SIRQ occurs while secure thread 1 is running.-   3. The core jumps directly irq mode and stores current PC in R14_irq    and CPSR in SPSR_irq. IRQ is then disabled. The IRQ handler detects    this is a SIRQ and performs a SMI instruction with appropriate    parameters.-   4. Once in monitor mode, non-secure context must be saved, then the    core goes to a secure IRQ handler.-   5. The secure IRQ handler services the SIRQ service routine, then    gives control back to monitor with SMI with appropriate parameters.-   6. The monitor handler restores non-secure context so that a SUBS    instruction makes the core returns to non-secure world and resumes    the interrupted IRQ handler.-   7. The IRQ handler may then return to the non-secure thread by    performing a SUBS.-   8. Thread 1 executes until the end, then gives control back to the    scheduler.

With the mechanism of FIG. 12, there is no need to recreate the SIRQevent in the case of nested interrupts, but there is no guarantee thatsecure interrupts will be performed.

Exception Vectors

At least two physical vector tables are kept (although from a virtualaddress point of view they may appear as a single vector table), one forthe non-secure world in non-secure memory, the one for the secure worldin secure memory (not accessible from non-secure world). The differentvirtual to physical memory mappings used in the secure and non-secureworlds effectively allow the same virtual memory addresses to accessdifferent vector tables stored in physical memory. The monitor mode mayalways use flat memory mapping to provide a third vector table inphysical memory.

If the interrupts follow the FIG. 12 mechanism, there would be thefollowing vectors shown in FIG. 14 for each table. This vector set isduplicated in both secure and non-secure memory.

Exception Vector Offset Corresponding Mode Reset 0x00 Supervisor Mode (Sbit set) Undef 0x04 Monitor mode/Undef mode SWI 0x08 Supervisormode/Monitor mode Prefetch Abort 0x0C Abort mode/Monitor mode Data Abort0x10 Abort mode/Monitor Mode IRQ/SIRQ 0x18 IRQ mode FIQ 0x1X FIQ modeSMI 0x20 Undef mode/Monitor mode

NB. The Reset entry is only in the secure vector table. When a Reset isperformed in non secure world, the core hardware forces entry ofsupervisor mode and setting of the S bit so that the Reset vector can beaccessed in secure memory.

FIG. 15 illustrates three exception vector tables respectivelyapplicable to a secure mode, a non-secure mode and the monitor mode.These exception vector tables may be programmed with exception vectorsin order to match the requirements and characteristics of the secure andnon-secure operating systems. Each of the exception vector tables mayhave an associated vector table base address register within CP15storing a base address pointing to that table within memory. When anexception occurs the hardware will reference the vector table baseaddress register corresponding to the current state of the system todetermine the base address of the vector table to be used.Alternatively, the different virtual to physical memory mappings appliedin the different modes may be used to separate the three differentvector table stored at different physical memory addresses. Asillustrated in FIG. 16, an exception trap mask register is provided in asystem (configuration controlling) coprocessor (CP15) associated withthe processor core. This exception trap mask register provides flagsassociated with respective exception types. These flags indicate whetherthe hardware should operate to direct processing to either the vectorfor the exception concerned within its current domain or should force aswitch to the monitor mode (which is a type of secure mode) and thenfollow the vector in the monitor mode vector table. The exception trapmask register (exception control register) is only writable from themonitor mode. It may be that read access is also prevented to theexception trap mask register when in a non-secure mode. It will be seenthat the exception trap mask register of FIG. 16 does not include a flagfor the reset vector as the system is configured to always force this tojump to the reset vector in the secure supervisor mode as specified inthe secure vector table in order to ensure a secure boot and backwardscompatibility. It will be seen that in FIG. 15, for the sake ofcompleteness, reset vectors have been shown in the vector tables otherthan the secure supervisor mode secure vector table.

FIG. 16 also illustrates that the flags for the different exceptiontypes within the exception trap mask register are programmable, such asby the monitor program during secure boot. Alternatively, some or all ofthe flags may in certain implementations be provided by physical inputsignals, e.g. the secure interrupt flag SIRQ may be hardwired to alwaysforce monitor mode entry and execution of the corresponding monitor modesecure interrupt request vector when a secure interrupt signal isreceived. FIG. 16 illustrates only that portion of the exception trapregister concerned with non-secure domain exceptions, a similar set ofprogrammable bits will be provided for secure domain exceptions.

Whilst it will be understood from the above that at one level thehardware acts to either force an interrupt to be serviced by the currentdomain exception handler or the monitor mode exception handler dependingupon the exception control register flags, this is only the first levelof control that is applied. As an example, it is possible for anexception to occur in the secure mode, the secure mode exception vectorto be followed to the secure mode exception handler, but this securemode exception handler then decide that the exception is of a naturethat it is better dealt with by the non-secure exception handler andaccordingly utilise an SMI instruction to switch to the non-secure modeand invoke the non-secure exception handler. The converse is alsopossible where the hardware might act to initiate the non-secureexception handler, but this then execute instructions which directprocessing to the secure exception handler or the monitor mode exceptionhandler.

FIG. 17 is a flow diagram schematically illustrating the operation ofthe system so as to support another possible type of switching requestassociated with a new type of exception. At step 98 the hardware detectsany instruction which is attempting to change to monitor mode asindicate in a current program status register (CPSR). When such anattempt is detected, then a new type of exception is triggered, thisbeing referred to herein as a CPSR violation exception. The generationof this CPSR violation exception at step 100 results in reference to anappropriate exception vector within the monitor mode and the monitorprogram is run at step 102 to handle the CPSR violation exception.

It will be appreciated that the mechanisms for initiating a switchbetween secure domain and non-secure domain discussed in relation toFIG. 17 may be provided in addition to support for the SMI instructionpreviously discussed. This exception mechanism may be provided torespond to unauthorised attempts to switch mode as all authorisedattempts should be made via an SMI instruction. Alternatively, such amechanism may be legitimate ways to switch between the secure domain andthe non-secure domain or may be provided in order to give backwardscompatibility with existing code which, for example, might seek to clearthe processing status register as part of its normal operation eventhough it was not truly trying to make an unauthorised attempt to switchbetween the secure domain and the non-secure domain.

As described above, in general interrupts are disabled when theprocessor is operating in monitor mode. This is done to increase thesecurity of the system. When an interrupt occurs the state of theprocessor at that moment is stored in interrupt exception registers sothat on completion of the interrupt function the processing of theinterrupted function can be resumed at the interrupt point. If thisprocess were allowed in monitor mode it could reduce the security of themonitor mode, giving a possible secure data leakage path. For thisreason interrupts are generally disabled in monitor mode. However, oneconsequence of disabling interrupts during monitor mode is thatinterrupt latency is increased.

It would be possible to allow interrupts in monitor mode if the state ofthe processor executing the function was not stored. This can only bedone if following an interrupt the function is not resumed. Thus, theproblem of interrupt latency in monitor mode may be addressed byallowing interrupts in monitor mode only of functions that can be safelyrestarted. In this case, following an interrupt in monitor mode, thedata relating to the processing of the function is not stored but isthrown away and the processor is instructed to start processing of thefunction from its beginning once the interrupt has finished. In theabove example this is a simple thing to do as the processor simplyreturns to the point at which it switched to monitor mode. It should benoted that restarting a function is only possible for certain functionsthat can be restarted and still produce repeatable results. If thefunction has changed a state of the processor such that if it wererestarted it would produce a different result then it is not a good ideato restart the function. For this reason, only those functions that aresafely restartable can be interrupted in monitor mode, for otherfunctions the interrupts are disabled.

FIG. 18 illustrates a way of dealing with an interrupt occurring inmonitor mode according to an embodiment of the present invention. An SMIoccurs during processing of task A in a non-secure mode and thisswitches the processor to monitor mode. The SMI instruction makes thecore enter the Monitor mode through a dedicated non-secure SMI vector.The current state of the PC is saved, the s bit is set and interruptsare disabled. Generally, LR_mon and SPSR_mon are used to save the PC andCPSR of the non secure mode.

A function, function C is then initiated in monitor mode. The firstthing function C does is to enable the interrupts, function C is thenprocessed. If an interrupt occurs during the processing of function C,the interrupts are not disabled so the interrupt is accepted andperformed. However, the monitor mode indicator indicates to theprocessor that following an interrupt, the function is not to beresumed, but rather restarted. Alternatively, this may be indicated tothe processor by a separate control parameter. Thus, following aninterrupt the interrupt exception vectors are updated with the values ofLR_mon and SPSR_mon and the current state of the processor is notstored.

As is shown in FIG. 18 following completion of the interrupt task, taskB, the processor reads the address of the SMI instruction which has beencopied to the interrupt register and performs an SMI and starts toprocess function C again.

The above process only works if function C is restartable, that is tosay if restarting process C will result in repeatable processing steps.This will not be the case if function C has changed any of the states ofthe processor such as the stack pointer that may affect its futureprocessing. A function that is repeatable in this way is said to haveidempotence. One way of dealing with the problem of a function nothaving idempotence is to rearrange the code defining the function insuch a way that the first portion of the code has idempotence and onceit is no longer possible to arrange the code to have idempotenceinterrupts are disabled. For example, if code C involves writing to thestack, it may be possible to do so without updating the stack pointer atleast at first. Once it is decided that the code can no longer feasiblybe safely restarted, then the code for function C can instruct theprocessor to disable interrupts and then it can update the stack pointerto the correct position. This is shown in FIG. 18 where interrupts aredisabled a certain way through the processing of function C.

FIG. 19 illustrates a slightly different example. In this example, acertain way through the processing of task C, a further controlparameter is set. This indicates that the following portion of task C isnot strictly idempotent, but can be safely restarted provided that afix-up routine is run first. This fix-up routine acts to restore a stateof the processor to how it was at the start of task C, such that task Ccan be safely restarted and produce the same processor state at the endof the task as it would have done had it not been interrupted. In someembodiments at the point that the further control parameter is setinterrupts may be disabled for a short while while some states of theprocessor are amended such as the stack pointer being updated. Thisallows the processor to be restored to an idempotent state later.

When an interrupt occurs after the further control parameter has beenset, then there are two possible ways to proceed. Either the fix-uproutine can be performed immediately (at F1) and then the interrupt canbe processed, or the interrupt can be processed immediately andfollowing completion of the interrupt, the SMI is executed and thenprior to restarting task C the fix-up routine is performed (at F2). Ascan be seen, in both of these embodiments the fix-up routine isperformed in monitor mode, and thus execution in the non-secure domain,which is not aware of the secure domain or of the monitor mode is notaffected.

As can be seen from FIG. 19, a first portion of code C has idempotenceand can be restarted following an interrupt. A second portion isrestartable provided a fix-up routine is run first, and this isindicated by setting a “further” control parameter, and a final portionof the code cannot be restarted and thus, interrupts are disabled beforethis code is processed.

FIG. 20 illustrates an alternative example, in this case, which isdifferent to other embodiments, interrupts are enabled during themonitor mode. Functions running in the monitor mode then act to disableinterrupts as soon as they are no longer safely restartable. This isonly possible if all functions interrupted in monitor mode are restartedrather than resumed.

There are several ways that it can be ensured that all functions runningin a certain mode are restarted rather than resumed when interrupted.One way is by adding a new processor state in which interrupts save theaddress of the start of the instruction sequence rather than the addressof the interrupted instruction. In this case monitor mode would thenalways be run in this state. An alternative way is by preloading theaddress of the start of a function to the interrupt exception registerat the start of each function and disabling subsequent writing of thestate of the processor following interrupt to interrupt exceptionregisters.

In the embodiment illustrated in FIG. 20 restarting of the functions maybe done immediately following termination of the interrupt function orit may be done following a fix-up routine, if that is required to makethe function safely restartable.

Although the above described way of dealing with interrupt latency hasbeen described with respect to a system having secure and non-securedomains and a monitor mode, it is clearly applicable to any system whichhas functions that should not be resumed for a particular reason.Generally such functions operate by disabling interrupts which increaseinterrupt latency. Amending the functions to be restartable andcontrolling the processor to restart them following an interrupt allowsthe interrupts to be enabled for at least a portion of the processing ofthe function and helps reduce interrupt latency. For example normalcontext switching of an operating system.

Access to Secure and Non-Secure Memory

As described with reference to FIG. 1, the data processing apparatus hasmemory, which includes, inter alia, the TCM 36, cache 38, ROM 44, memoryof slave devices and external memory 56. As described with reference toFIG. 37 for example, memory is partitioned into secure and non-securememory. It will be appreciated that there will not typically be anyphysical distinction between the secure memory regions and non-securememory regions of the memory at the time of fabrication, but that theseregions will instead be defined by a secure operating system of the dataprocessing apparatus when operating in the secure domain. Hence, anyphysical part of the memory device may be allocated as secure memory,and any physical part may be allocated as non-secure memory.

As described with reference to FIGS. 2 to 5, the processing system has asecure domain and a non-secure domain. In the secure domain, a securekernel program 80 is provided and which executes in a secure mode. Amonitor program 72 is provided which straddles the secure and non-securedomains and which executes at least partly in a monitor mode. Inembodiments of the invention the monitor program executes partly in themonitor mode and partly in a secure mode. As shown in for example FIG.10, there are a plurality of secure modes including, inter alia, asupervisor mode SVC.

The monitor program 72 is responsible for managing all changes betweenthe secure and non-secure domains in either direction. Some of itsfunctions are described with reference to FIGS. 8 and 9 in the section‘Processor Modes’. The monitor program is responsive to a mode switchingrequest SMI issued in the non-secure mode to initiate a switch from thesaid non-secure mode to the said secure mode and to a mode switchingrequest SMI issued in the secure mode to initiate a switch from the saidsecure mode to the said non-secure mode. As described in the section‘Switching between worlds’, in the monitor mode, switching takes placeswitching at least some of the register from one of the secure andnon-secure domains to the other. That involves saving the state of aregister existing in one domain and writing a new state to the register(or restoring a previously saved state in the register) in the otherdomain. As also described herein access to some registers may bedisabled when performing such a switch. Preferably, in monitor mode allinterrupts are disabled.

Because the monitor mode in which the monitor program executes straddlesthe secure and non-secure domains it is important that the monitorprogram is provably secure: that is it implements only those functionsit is intended to implement. It is thus advantageous if the monitorprogram is a simple as possible. The secure modes allow processes toexecute only in the secure domain. In this embodiment of the presentinvention, the privileged secure mode(s) and the monitor mode allowsaccess to the same secure and non-secure memory. By ensuring that theprivileged secure mode(s) ‘see’ the same secure and non-secure memory,functions which could otherwise only be implemented in the monitor modeare transferred to the secure mode allowing simplification of themonitor program. In addition, this allows a process operating in aprivileged secure mode to switch directly to monitor mode and viceversa. A switch from a privileged secure mode to the monitor mode ispermitted and in the monitor mode a switch to the non-secure domain maybe made. Non-privileged secure modes must use an SMI to enter themonitor mode. The system enters the privileged secure mode following areset. Switches between the monitor mode and the privileged secure modeand back are made to facilitate state saving when moving betweendomains.

In other embodiments access to the S flag may be allowed from withinsecure privileged modes as well as from within the monitor mode. Ifsecure privileged modes are allowed to switch the processor into monitormode whilst maintaining control of the program flow, then such secureprivileged modes already effectively have the ability to change the Sflag (bit). Thus, the additional complexity of providing that the S flagcan only be changed within the monitor mode is not justified. The S flagcan instead be stored in the same way as other configuration flags whichmay be changed by one or more secure privileged modes. Such embodimentswhere the S flag may be changed within one of more secure privilegedmodes are included within the current techniques.

Returning to the previously discussed example embodiment, the apparatushas a processor core 10 which defines the modes and defines theprivilege levels of the modes; i.e. the set of functions which any modeallows. Thus the processor core 10 is arranged in known manner to allowthe secure modes and the monitor mode access to secure and non-securememory and the secure modes access to all memory to which the monitormode allows access and to allow a process operating in any privilegedsecure mode to switch directly to monitor mode and vice versa. Theprocessor core 10 is preferably arranged to allow the following.

In one example of the apparatus, the memory is partitioned into securememory and non-secure memory, and both secure and non-secure memory isaccessible only in the monitor and secure modes. Preferably, thenon-secure memory is accessible in monitor mode, a secure mode and anon-secure mode.

In another example of the apparatus, in the monitor mode and one or moreof the secure modes, access to the non-secure memory is denied to thesecure mode; and in non-secure mode access to the non-secure memory isdenied to the secure and monitor modes. Thus secure memory is accessedonly in monitor and secure modes and non-secure memory is accessed onlyby non-secure modes increasing security.

In examples of the apparatus, resetting or booting of the apparatus maybe performed in the monitor mode which may be regarded as a mode whichis more privileged than a secure mode privileged mode. However, in manyexamples of the apparatus are arranged to provide resetting or bootingin a secure mode which is possible because of the direct switchingallowed between the secure mode and the monitor mode.

As described with reference to FIG. 2, in the secure domain, and in asecure mode, a secure kernel 80 (or operating system) functions, and oneor more secure application programs 82, 84 may be run under the securekernel 80. The secure kernel and/or the secure application program orany other program code running in a secure mode is allowed access toboth secure and non-secure memory.

Whilst examples of this invention have been described with reference toapparatus having a processor, the invention may be implemented by acomputer program which when run on a suitable processor configure s theprocessor to operate as described in this section.

A description of an alternative embodiment(s) of the present techniqueconsidered from a programmer's model view is given below in relation toFIGS. 21 to 23 as follows:

In the following description, we will use the following terms that mustbe understood in the context of an ARM processor as designed by ARMLimited, of Cambridge, England.

-   S bit: Secure state bit, contained in a dedicated CP15 register.-   ‘Secure/Non-Secure state’. This state is defined by the S bit value.    It indicates whether the core may access the Secure world (when it    is in Secure state, i.e. S=1) or is restricted to the Non-secure    world only (S=0). Note that the Monitor mode (see further) overrides    the S bit status.-   ‘Non-Secure World’ groups all hardware/software accessible to    non-secure applications that do not require security.-   ‘Secure World’ groups all hardware/software (core, memory . . . )    that is only accessible when we execute secure code.-   Monitor mode: new mode that is responsible for switching the core    between the Secure and Non-secure state.

As a Brief Summary

-   The core can always access the Non-secure world.-   The core can access the Secure world only when it is in Secure state    or Monitor mode.-   SMI: Software Monitor Interrupt: New instruction that will make the    core enter the Monitor mode through a dedicated SMI exception    vector. ‘Thread ID’: is the identifier associated to each thread    (controlled by an OS). For some types of OS where the OS runs in    non-secure world, each time a secure function is called, it will be    necessary to pass as a parameter the current thread ID to link the    secure function to its calling non-secure application. The secure    world can thus support multi-threads.-   Secure Interrupt defines an interrupt generated by a Secure    peripheral.

Programmer's Model

Carbon Core Overview

The concept of the Carbon architecture, which is the term used hereinfor processors using the present techniques, consists in separating twoworlds, one secure and one non-secure. The secure world must not leakany data to non-secure world.

In the proposed solution, the secure and non-secure states will sharethe same (existing) register bank. As a consequence, all current modespresent in ARM cores (Abort, Undef, Irq, User, . . . ) will exist ineach state.

The core will know it operates in secure or non-secure state thanks to anew state bit, the S (secure) bit, instantiated in a dedicated CP15register.

Controlling which instruction or event is allowed to modify the S bit,i.e. to change from one state to the other, is a key feature of thesecurity of the system. The current solution proposes to add a new mode,the Monitor mode, that will “supervise” switching between the twostates. The Monitor mode, by writing to the appropriate CP15 register,would be the only one allowed to alter the S bit.

Finally, we propose to add some flexibility to the exception handling.All exceptions, apart from the reset, would be handled either in thestate where they happened, or would be directed to the Monitor mode.This would be left configurable thanks to a dedicated CP15 register.

The details of this solution are discussed in the following paragraphs.

Processor State and Modes

Carbon New Features

Secure or Non-Secure State (S Bit)

One major feature of the Carbon core is the presence of the S bit, whichindicates whether the core is in a Secure (S=1) or Non-secure (S=0)state. When in Secure state, the core would be able to access any datain the Secure or Non-secure worlds. When in Non-Secure state, the corewould be restricted to the Non-secure world only.

The only exception to this rule concerns the Monitor mode, whichoverrides the S bit information. Even when S=0, the core will performSecure privileged accesses when it is in Monitor mode. See nextparagraph, Monitor mode, for further information

The S bit can only be read and written in Monitor mode. Whatever the Sbit value, if any other mode tries to access it, this will be eitherignored or result in an Undefined exception.

All exceptions, apart from Reset, have no effect on the Secure statebit. On Reset, the S bit will be set, and the core will start inSupervisor mode. Refer to the boot section for detailed information.

Secure/Nonsecure states are separate and operate independently of theARM/Thumb/Java states.

Monitor Mode

One other important feature of the Carbon system is the creation of anew mode, the Monitor mode. This will be used to control the coreswitching between the Secure and Non-secure states. It will always beconsidered as a secure mode, i.e. whatever the value of the S bit, thecore will always perform Secure Privileged accesses to the externalworld when it is in Monitor mode.

Any Secure privileged mode (i.e. privileged modes when S=1) would beable to switch to Monitor mode by simply writing the CPSR mode bits(MSR, MOVS, or equivalent instruction). However, this would be forbiddenin any Non-secure mode or Secure user mode. If this ever happens, theinstruction would be ignored or cause an exception.

There may be a need for a dedicated CPSR violation exception. Thisexception would be raised by any attempt to switch to Monitor mode bydirectly writing the CPSR from any Non-secure mode or Secure user mode.

All exceptions except Reset are in effect disabled when Monitor mode isactive:

-   all interrupts are masked;-   all memory exceptions are either ignored or cause a fatal exception.-   undefined/SWI/SMI are ignored or cause a fatal exception.

When entering Monitor mode, the interrupts are automatically disabledand the system monitor should be written such that none of the othertypes of exception can happen while the system monitor is running.

Monitor mode needs to have some private registers. This solutionproposes that we only duplicate the minimal set of registers, i.e R13(sp_mon), R14 (1 r_mon) and SPSR (spsr_mon).

In Monitor mode, the MMU will be disabled (flat address map) as well asthe MPU or partition checker (the Monitor mode will always performsecure privileged external accesses). However, specially programmed MPUregion attributes (cacheability, . . . ) would still be active. As analternative the Monitor mode may use whatever mapping is used by thesecure domain.

New Instruction

This proposal requires adding one new instruction to the existing ARMinstruction set.

The SMI (Software Monitor Interrupt) instruction would be used to enterthe Monitor mode, branching at a fixed SMI exception vector. Thisinstruction would be mainly used to indicate to the Monitor to swapbetween the Non-secure and Secure State.

As an alternative (or in addition) it would be possible to add a newinstruction to allow the Monitor mode to save/restore the state of anyother mode onto/from the Monitor stack to improve context switchingperformance.

Processor Modes

As discussed in the previous paragraph, only one new mode is added inthe core, the Monitor mode. All existing modes remain available, andwill exist both in the secure and non-secure states.

In fact, Carbon users will see the structure illustrated in FIG. 21.

Processor Registers

This embodiment proposes that the secure and the non-secure worlds sharethe same register bank. This implies that, when switching from one worldto the other through the Monitor mode, the system monitor will need tosave the first world context, and create (or restore) a context in thesecond world.

Passing parameters becomes an easy task: any data contained in aregister in the first world will be available in the same register inthe second world once the system monitor has switched the S bit.

However, apart from a limited number of registers dedicated to passingparameters, which will need to be strictly controlled, all otherregisters will need to be flushed when passing from Secure to Non-securestate in order to avoid any leak of Secure data. This will need to beensured by the Monitor kernel.

The possibility of implementing a hardware mechanism or a newinstruction to directly flush the registers when switching from Secureto Non-secure state is also a possibility.

Another solution proposed involves duplicating all (or most of) theexisting register bank, thus having two physically separated registerbanks between the Secure and Non-secure state. This solution has themain advantage of clearly separating the secure and non-secure datacontained in the registers. It also allows fast context switchingbetween the secure and non-secure states. However, the drawback is thatpassing parameters through registers becomes difficult, unless we createsome dedicated instructions to allow the secure world access thenon-secure registers

FIG. 22 illustrates the available registers depending on the processormode. Note that the processor state has no impact on this topic.

Exceptions

Secure Interrupts

Current Solution

It is currently proposed to keep the same interrupt pins as in thecurrent cores, i.e. IRQ and FIQ. In association with the Exception TrapMask register (defined later in the document), there should besufficient flexibility for any system to implement and handle differentkind of interrupts.

VIC Enhancement

We could enhance the VIC (Vectored Interrupt Controller) in thefollowing way: the VIC may contain one Secure information bit associatedto each vectored address. This bit would be programmable by the Monitoror Secure privileged modes only. It would indicate whether theconsidered interrupt should be treated as Secure, and thus should behandled on the Secure side.

We would also add two new Vector Address registers, one for all SecureInterrupts happening in Non-Secure state, the other one for allNon-Secure interrupts happening in Secure state.

The S bit information contained in CP15 would be also available to theVIC as a new VIC input.

The following table summarizes the different possible scenarios,depending on the status of the incoming interrupt (Secure or Non-secure,indicated by the S bit associated to each interrupt line) and the stateof the core (S bit in CP15=S input signal on the VIC).

Core in secure state Core in Non-secure state (CP15 − S = 1) (CP15 − S =0) Secure No need to switch between worlds. The VIC has no Vectorassociated Interrupt The VIC directly presents to the core the to thisinterrupt in the Non-secure Secure address associated to the interruptline. domain. It thus presents to the core The core simply has to branchat this address the address contained in the Vector where it should findthe associated ISR. address register dedicated to all Secure interruptsoccurring in Non- secure world. The core, still in Non- secure world,then branches to this address, where it should find an SMI instructionto switch to Secure world. Once in Secure world, it would be able tohave access to the correct ISR. Non- The VIC has no Vector associated tothis No need to switch between worlds. Secure interrupt in the Securedomain. It thus The VIC directly presents to the Interrupt presents tothe core the address contained in core the Non-secure address the Vectoraddress register dedicated to all associated to the interrupt line. TheNon-secure interrupts occurring in Secure core simply has to branch atthis world. The core, still in Secure world, then address where itshould find the branches to this address, where it should findassociated Non-secure ISR. an SMI instruction to switch to Non-secureworld. Once in Non-secure world, it would be able to have access to thecorrect ISR.

Exception Handling Configurability

In order to improve Carbon flexibility, a new register, the ExceptionTrap Mask, would be added in CP15. This register would contain thefollowing bits:

Bit 0: Undef exception (Non-secure state) Bit 1: SWI exception(Non-secure state) Bit 2: Prefetch abort exception (Non-secure state)Bit 3: Data abort exception (Non-secure state) Bit 4: IRQ exception(Non-secure state) Bit 5: FIQ exception (Non-secure state) Bit 6: SMIexception (both Non-secure/Secure states) Bit 16: Undef exception(Secure state) Bit 17: SWI exception (Secure state) Bit 18: Prefetchabort exception (Secure state) Bit 19: Data abort exception (Securestate) Bit 20: IRQ exception (Secure state) Bit 21: FIQ exception(Secure state)

The Reset exception does not have any corresponding bit in thisregister. Reset will always cause the core to enter the Securesupervisor mode through its dedicated vector.

If the bit is set, the corresponding exception makes the core enter theMonitor mode. Otherwise, the exception will be handled in itscorresponding handler in the world where it occurred.

This register would only be visible in Monitor mode. Any instructiontrying to access it in any other mode would be ignored.

This register should be initialized to a system-specific value,depending upon whether the system supports a monitor or not. Thisfunctionality could be controlled by a VIC.

Exception Vectors Tables

As there will be separate Secure and Non-secure worlds, we will alsoneed separate Secure and Non-secure exception vectors tables.

Moreover, as the Monitor can also trap some exceptions, we may also needa third exception vectors table dedicated to the Monitor.

The following table summarizes those three different exception vectorstables:

In non-secure memory Address Exception Mode Automatically accessed when0x00 — — 0x04 Undef Undef Undefined instruction executed when core is inNon-Secure state and Exception Trap Mask reg [Non-secure Undef]=0 0x08SWI Supervisor SWI instruction executed when core is in Non-Secure stateand Exception Trap Mask reg [Non-secure SWI]=0 0x0C Prefetch AbortAborted instruction when core is in Abort Non-Secure state and ExceptionTrap Mask reg [Non-secure PAbort]=0 0x10 Data Abort Aborted data whencore is in Non- Abort Secure state and Exception Trap Mask reg[Non-secure DAbort]=0 0x14 Reserved 0x18 IRQ IRQ IRQ pin asserted whencore is in Non- Secure state and Exception Trap Mask reg [Non-secureIRQ]=0 0x1C FIQ FIQ FIQ pin asserted when core is in Non- Secure stateand Exception Trap Mask reg [Non-secure FIQ]=0

In secure memory: Address Exception Mode Automatically accessed when0x00 Reset* Supervisor Reset pin asserted 0x04 Undef Undef Undefinedinstruction executed when core is in Secure state and Exception TrapMask reg [Secure Undef]=0 0x08 SWI Supervisor SWI instruction executedwhen core is in Secure state and Exception Trap Mask reg [Secure SWI]=00x0C Prefetch Abort Aborted instruction when core is in Abort Securestate and Exception Trap Mask reg [Secure PAbort]=0 0x10 Data AbortAborted data when core is in Secure Abort state and Exception Trap Maskreg [Secure Dabort]=0 0x14 Reserved 0x18 IRQ IRQ IRQ pin asserted whencore is in Secure state and Exception Trap Mask reg [Secure IRQ]=0 0x1CFIQ FIQ FIQ pin asserted when core is in Secure state and Exception TrapMask reg [Secure FIQ]=0 *Refer to “Boot” section for further explanationon the Reset mechanism

In Monitor memory (flat mapping): Address Exception Mode Automaticallyaccessed when 0x00 — — — 0x04 Undef Monitor Undefined instructionexecuted when Core is in Secure state and Exception Trap Mask reg[Secure Undef]=1 Core is in Non-secure state and Exception Trap Mask reg[Non-secure Undef]=1 0x08 SWI Monitor SWI instruction executed when Coreis in Secure state and Exception Trap Mask reg [Secure SWI]=1 Core is inNon-secure state and Exception Trap Mask reg [Non-secure SWI]=1 0x0CPrefetch Monitor Aborted instruction when Abort Core is in Secure stateand Exception Trap Mask reg [Secure IAbort]=1 Core is in Non-securestate and Exception Trap Mask reg [Non-secure Iabort]=1 0x10 DataMonitor Aborted data when Abort Core is in Secure state and ExceptionTrap Mask reg [Secure PAbort]=1 Core is in Non-secure state andException Trap Mask reg [Non-secure Pabort]=1 0x14 SMI Monitor 0x18 IRQMonitor IRQ pin asserted when core is in Secure state and Exception TrapMask reg [Secure IRQ]=1 core is in Non-secure state and Exception TrapMask reg [Non-secure IRQ]=1 0x1C FIQ Monitor FIQ pin asserted when coreis in Secure state and Exception Trap Mask reg [Secure FIQ]=1 core is inNon-secure state and Exception Trap Mask reg [Non-secure FIQ]=1

In Monitor mode, the exceptions vectors may be duplicated, so that eachexception will have two different associated vector:

-   One for the exception arising in Non-secure state-   One for the exception arising in Secure state

This may be useful to reduce the exception latency, because the monitorkernel does not have any more the need to detect the originating statewhere the exception occurred.

Note that this feature may be limited to a few exceptions, the SMI beingone of the most suitable candidates to improve the switching between theSecure and Non-secure states.

Switching between Worlds

When switching between states, the Monitor mode must save the context ofthe first state on its Monitor stack, and restore the second statecontext from the Monitor stack.

The Monitor mode thus needs to have access to any register of any othermodes, including the private registers (r14, SPSR, . . . ).

To handle this, the proposed solution consists in giving any privilegemode in Secure state the rights to directly switch to Monitor mode bysimply writing the CPSR.

With such a system, switching between worlds is performed as follows:

-   enter Monitor mode-   set the S bit-   switch to supervisor mode—save the supervisor registers on the    MONITOR stack (of course the supervisor mode will need to have    access to the Monitor stack pointer, but this can be easily done,    for example by using a common register (R0 to R8))-   switch to System mode—save the registers (=same as the user mode) on    the Monitor stack-   IRQ registers on the Monitor stack etc . . . for all modes-   Once all private registers of all modes are saved, revert to Monitor    mode with a simple MSR instruction (=simply write Monitor value in    the CPSR mode field)

The other solutions have also been considered:

-   Add a new instruction that would allow the Monitor to save other    modes' private registers on its own stack.-   Implement the Monitor as a new “state”, i.e. being able to be in    Monitor state (to have the appropriate access rights) and in IRQ (or    any other) mode, to see the IRQ (or any other) private registers.

Basic Scenario (See FIG. 23)

-   1. Thread 1 is running in non-secure world (S bit=0)

This thread needs to perform a secure function=>SMI instruction.

-   2. The SMI instruction makes the core enter the Monitor mode through    a non-secure SMI vector.

LR_mon and SPSR_mon are used to save the PC and CPSR of the non securemode.

-   -   At this stage the S bit remains unchanged, although the system        is now in a secure state.    -   The monitor kernel saves the non-secure context on the monitor.    -   It also pushes LR_mon and SPSR_mon.    -   The monitor kernel then changes the “S” bit by writing into the        CP15 register.    -   In this embodiment the monitor kernel keeps track that a “secure        thread 1” will be started in the secure world (e.g. by updating        a Thread ID table).    -   Finally, it exits the monitor mode and switches to secure        supervisor mode (MOVS instruction after having updated LR_mon        and SPSR_mon?).

-   3. The secure kernel dispatches the application to the right secure    memory location, then switches to user mode (e.g. using a MOVS).

-   4. The secure function in executed in secure user mode. Once    finished, it calls an “exit” function by performing an appropriate    SWI.

-   5. The SWI instruction makes the core enter the secure svc mode    through a dedicated SWI vector, that in turn performs the “exit”    function. This “exit” function ends with an “SMI” to switch back to    monitor mode.

-   6. The SMI instruction makes the core enter the monitor mode through    a dedicated secure SMI vector.    -   LR_mon and SPSR_mon are used to save the PC and CPSR of the        Secure svc mode.    -   The S bit remains unchanged (i.e. Secure State).    -   The monitor kernel registers the fact that secure thread 1 is        finished (removes the secure thread 1 ID from the thread ID        table?).    -   It then changes the “S” bit by writing into the CP15 register,        returning to non-secure state.    -   The monitor kernel restores the non-secure context from the        monitor stack.    -   It also load the LR_mon and CPSR_mon previously saved in step 2.    -   Finally, it exits monitor mode with a SUBS, that will make the        core return in non-secure user mode, on the instruction

-   7. Thread 1 can resume normally.

Referring to FIG. 6, all of the registers are shared between the secureand non-secure domains In monitor mode, switching takes place switchingthe registers from one of the secure and non-secure domains to theother. That involves saving the state of a register existing in onedomain and writing a new state to the register (or restoring apreviously saved state in the register) in the other domain as is alsodescribed in the section ‘Switching between Worlds’ above.

It is desirable to reduce the time taken to perform this switch. Toreduce the time taken to perform the switch, the shared registers aredisabled when switching between the secure and non-secure domainsretaining unchanged the data values stored therein. For example,consider a switch from the non-secure domain to the secure domain.Assume that for example the FIQ registers shown in FIG. 6 are not neededin the secure world. Thus, those registers are disabled and there is noneed to switch them to the secure domain and there is no need to savethe contents of those registers.

Disabling of the registers may be achieved in several ways. One way isto lock out the mode which uses those registers. That is done by writinga control bit in a CP15 register indicating the disabling of that mode.

Alternatively, access to the registers may be disabled on an instructionby instruction basis again by writing control bits in a CP15 register.The bits written in the CP15 register relate explicitly to the register,not the mode, so the mode is not disabled but access to the register inthe mode is disabled.

The FIQ registers store data associated with a fast interrupt. If theFIQ register(s) are disabled and a fast interrupt occurs, the processorsignals an exception in the monitor. In response to an exception, themonitor mode is operable to save any data values associated with onedomain and stored in the said disabled register and to load into thatregister new data values associated with the other domain and thenre-enable the FIQ mode registers.

The processor may be arranged so that when in the monitor mode allbanked registers are disabled when the processor switches domains.Alternatively, the disabling of the registers may be selective in thatsome predetermined ones of the shared registers are disabled whenswitching domains and others may be disabled at the choice of theprogrammer.

The processor may be arranged so that when switching domains in themonitor mode, one or more of the shared registers are disabled, and oneor more others of the shared registers have their data saved whenexisting one domain, and have new data loaded in the other domain. Thenew data may be null data.

FIG. 24 schematically illustrates the concept of adding a secureprocessing option to a traditional ARM core. The diagram schematicallyshows how a processor that contains a secure processing option can beformed by adding a secure processing option to an existing core. If thesystem is to be backwards compatible with an existing legacy operatingsystem, it is intuitive to think of the legacy system operating in thetraditional non-secure part of the processor. However, as is shownschematically in the lower part of the Figure and is detailed furtherbelow, it is in fact in the secure portion of the system that a legacysystem operates.

FIG. 25 shows a processor having a secure and non-secure domain andillustrating reset and is similar to FIG. 2. FIG. 2 illustrates aprocessor that is adapted to run a security sensitive type of operationwith a secure OS system controlling processing in the secure domain anda non-secure OS system controlling processing in the non-secure domain.The processor is however also backwards compatible with a traditionallegacy operating system and thus, the processor may operate in asecurity insensitive way using a legacy operating system.

As is shown in FIG. 25, the reset is in the secure domain, and whateverthe type of operation reset occurs here with the S-bit or securitystatus flag set. In the case of a security insensitive type ofoperation, reset occurs in the secure domain and processing thencontinues within the secure domain. The legacy operating systemcontrolling processing is however unaware of the security aspects of thesystem.

As is shown in FIG. 25 reset is performed to set the address at which tostart processing within the secure supervisor mode whether processing isto be secure sensitive or is in fact secure insensitive. Once reset hasbeen performed the additional tasks present in a boot or rebootmechanism are then performed. The boot mechanism is described below.

Boot mechanism

The boot mechanism must respect the following features:

-   Keep compatibility with legacy OSes.-   Boot in most privileged mode to ensure the security of the system.    As a consequence, Carbon cores will boot in Secure Supervisor mode.

The different systems will then be:

-   For systems wanting to run legacy OSes, the S bit is not taken into    account and the core will just see it boots in Supervisor mode.-   For systems wanting to use the Carbon features, the core boots in    Secure privileged mode which should be able to configure all secure    protections in the system (potentially after swapping to Monitor    mode)

With respect to the details of the boot mechanism given above theprocessor of embodiments of the present invention resets the processorto start processing in the secure supervisor mode in all cases. In thecase of a security insensitive type of operation the operating system isin effect operating in the secure domain although security is not herean issue, because the S bit is set (although the operating system isunaware of this). This has the advantage that parts of the memory thatare inaccessible from the non-secure domain are accessible in thissituation.

Booting in secure supervisor mode in all cases is also advantageous insecurity sensitive systems as it helps ensure the security of thesystem. In secure sensitive systems, the address provided at boot pointsto where the boot program is stored in secure supervisor mode and thus,enables the system to be configured as a secure system and to switch tomonitor mode. Switching from secure supervisor mode to monitor mode isallowed in general and enables the secure system at an appropriate timeto start processing in monitor mode to initialise monitor modeconfiguration.

FIG. 26 illustrates at step 1 a non-secure thread NSA being executed bya non-secure operating system. At step 2 the non-secure thread NSA makesa call to the secure domain via the monitor mode running a monitor modeprogram at step 3. The monitor mode program changes the S-bit to switchdomain and performs any necessary context saving and context restoringprior to moving to the secure operating system at step 5. Thecorresponding secure thread SA is then executed before it is subject toan interrupt irq at step 6. The interrupt handling hardware triggers areturn to the monitor mode at step 7 where it is determined as towhether the interrupt will be handled by the secure operating system orthe non-secure operating system. In this case, the interrupt is handledby the non-secure operating system starting at step 9. When thisinterrupt has been handled by the non-secure operating system, thenon-secure thread NSA is resumed as the current task in the non-secureoperating system prior to a normal thread switching operation at step11. This thread switching may be the result of a timing event or thelike. A different thread NSB is executed in the non-secure domain by thenon-secure operating system at step 12 and this then makes a call to thesecure domain via the monitor domain/program at step 14. The monitorprogram at step 7 has stored a flag, used some other mechanism, toindicate that the secure operating system was last suspended as a resultof an interrupt rather than having been left because a secure thread hadfinished execution or due to a normal request to leave. Accordingly,since the secure operating system was suspended by an interrupt, themonitor program at step 15 re-enters the secure operating system using asoftware faked interrupt which specifies a return thread ID (e.g. anidentifier of the thread to be started by the secure operating system asrequested by the non-secure thread NSB, as well as other parameterdata). These parameters of the software faked interrupt may be passed asregister values.

The software faked interrupt triggers a return interrupt handler routineof the secure operating system at step 15. This return interrupt handlerroutine examines the return thread ID of the software faked interrupt todetermine whether or not this matches the thread ID of the secure threadSA which was interrupted the last time the secure operating system wasexecuted prior to its suspension. In this case, there is not a match andaccordingly at step 16 the secure operating system is triggered toperform a thread switch to the return thread as specified by thenon-secure thread NSB after the context of the secure thread SA has beensaved. The secure thread SA can then later be restarted from the pointat which it was interrupted as required.

FIG. 27 schematically illustrates another example of the type ofbehaviour illustrated in FIG. 26. In this example whilst processingproceeds under control of the non-secure operating system to handle theirq, there is no non-secure thread switch and accordingly when thesoftware faked interrupt is received by the return interrupt handler ofthe secure operating system it determines that no thread switch isrequired and simply resumes the secure thread SA at step 15.

FIG. 28 is a flow diagram schematically illustrating the processingperformed by the return thread handler. At step 4002 the return threadhandler is started. At step 4004 the return thread identifier from thesoftware faked interrupt is examined and compared with the currentlyexecuting secure thread when the secure operating system was suspended.If these match, then processing proceeds to step 4006 at which thesecure thread is resumed. If the comparison at step 4004 is not matched,then processing proceeds to step 4008 at which the context of the oldsecure thread is saved, (for subsequent resumption) prior to a switchbeing made to the new secure thread at step 4010. The new thread mightalready be under way and so step 4010 is a resumption.

FIG. 29 schematically illustrates processing whereby a slave secureoperating system may follow task switches performed by a masternon-secure operating system. The master non-secure operating system maybe a legacy operating system with no mechanisms for communicating andcoordinating its activities to other operating systems and accordinglyoperate only as a master. As an initial entry point in FIG. 29 thenon-secure operating system is executing a non-secure thread NSA. Thisnon-secure thread NSA makes a call to a secure thread which is to beexecuted by the secure operating system using a software interrupt, anSMI call. The SMI call goes to a monitor program executing in a monitormode at step 2 whereupon the monitor program performs any necessarycontext saving and switching before passing the call onto the secureoperating system at step 4. The secure operating system then starts thecorresponding secure thread SA. This secure thread may return controlvia the monitor mode to the non-secure operating system, such as as aresult of a timer event or the like. When the non-secure thread NSAagain passes control to the secure operating system at step 9 it does soby reissuing the original software interrupt. The software interruptincludes the non-secure thread ID identifying NSA, the secure thread IDof the target secure thread to be activated, i.e. the thread IDidentifying secure thread SA as well as other parameters.

When the call generated at step 9 is passed on by the monitor programand received at step 12 in the secure domain by the secure operatingsystem, the non-secure thread ID can be examined to determine whether ornot there has been a context switch by the non-secure operating system.The secure thread ID of the target thread may also be examined to seethat the correct thread under the secure operating system is restartedor started as a new thread. In the example of FIG. 29, no thread switchis required in the secure domain by the secure operating system.

FIG. 30 is similar to FIG. 29 except that a switch in thread occurs atstep 9 in the non-secure domain under control of the non-secureoperating system. Accordingly, it is a different non-secure thread NSBwhich makes the software interrupt call across to the secure operatingsystem at step 11. At step 14, the secure operating system recognisesthe different thread ID of the non-secure thread NSB and accordinglyperforms a task switch involving saving the context of the secure threadSA and starting the secure thread SB.

FIG. 31 is a flow diagram schematically illustrating processingperformed by the secure operating system when receiving a softwareinterrupt as a call to start a thread or resume a thread of the secureoperating system. At step 4012 the call is received. At step 4014 theparameters of the call are examined to determine if they match thecurrently active secure thread upon the secure operating system. If amatch occurs, then this secure thread is restarted at step 4016. If amatch does not occur, then processing proceeds to step 4018 where adetermination is made as to whether or not the newly requested thread isavailable. The newly requested thread might be unavailable due to areason such as it being or requiring an exclusive resource which isalready in use by some other thread executing on a secure operatingsystem. In such a case, the call is rejected at step 4020 with anappropriate message being returned to the non-secure operating system.If the determination at step 4018 is that the new thread is available,then processing proceeds to step 4022 at which the context of the oldsecure thread is saved for possible later resumption. At step 4024 aswitch is made to the new secure thread as specified in the softwareinterrupt call made to the secure operating system.

FIG. 32 schematically illustrates operation whereby a priority inversionmay occur when handling interrupts within a system having multipleoperating systems with different interrupts being handled by differentoperating systems.

Processing starts with the secure operating system executing a securethread SA. This is then interrupted by a first interrupt Int1. Thistriggers the monitor program within the monitor mode to determinewhether or not the interrupt is to be handled in the secure domain orthe non-secure domain. In this case, the interrupt is to be handled inthe secure domain and processing is returned to the secure operatingsystem and the interrupt handling routine for interrupt Int1 is started.Partway through execution of the interrupt handling routine for Int1, afurther interrupt Int2 is received which has a higher priority. Thus,the interrupt handler for Int 1 is stopped and the monitor program inthe monitor mode used to determine where the interrupt Int2 is to behandled. In this case the interrupt Int2 is to be handled by thenon-secure operating system and accordingly control is passed to thenon-secure operating system and the interrupt handler for Int2 started.When this interrupt handler for the interrupt Int2 has completed, thenon-secure operating system has no information indicating that there isa pending interrupt Int1 for which servicing has been suspended in thesecure domain. Accordingly, the non-secure operating system may performsome further processing, such as a task switch or the starting of adifferent non-secure thread NSB, whilst the original interrupt Int1remains unserviced.

FIG. 33 illustrates a technique whereby the problems associated with theoperation of FIG. 32 may be avoided. When the interrupt Int1 occurs, themonitor program passes this to the non-secure domain where a stubinterrupt handler is started. This stub interrupt handler is relativelysmall and quickly returns processing to the secure domain via themonitor mode and triggers an interrupt handler for the interrupt Int1within the secure domain. The interrupt Int1 is primarily processedwithin the secure domain and the starting of the stub interrupt handlerin the non-secure domain can be regarded as a type of placeholder toindicate to the non-secure domain that the interrupt is pending in thesecure domain.

The interrupt handler in the secure domain for the interrupt Int1 isagain subject to a high priority Int2. This triggers execution of theinterrupt handler for the interrupt Int2 in the non-secure domain asbefore. However, in this case, when that interrupt handler for Int2 hasfinished, the non-secure operating system has data indicating that thestub interrupt handler for interrupt Int1 is still outstanding andaccordingly will resume this stub interrupt handler. This stub interrupthandler will appear as if it were suspended at the point at which itmade its call back to the secure domain and accordingly this call willbe re-executed and thus the switch made to the secure domain. Once backin the secure domain, the secure domain can itself re-start theinterrupt handler for the interrupt Int1 at the point at which it wassuspended. When the interrupt handler for the interrupt Int1 hascompleted within the secure domain, a call is made back to thenon-secure domain to close down the stub interrupt handler in thenon-secure domain before the originally executing secure thread SA isresumed.

FIG. 34 schematically illustrates different types of interrupt withtheir associated priorities and how they may be handled. High priorityinterrupts may be handled using purely secure domain interrupt handlersproviding there is no higher priority interrupt that is handled by thenon-secure domain. Once there is an interrupt having a priority higherthan subsequent interrupts and which is handled in the non-securedomain, then all lower interrupts must either be handled purely in thenon-secure domain or utilise the stub interrupt handler techniqueillustrated in FIG. 33 whereby the non-secure domain can keep track ofthese interrupts even though their main handling is occurring within thesecure domain.

As mentioned earlier, the monitor mode is used to perform switchingbetween the secure domain and the non-secure domain. In embodimentswhere registers are shared between the two different domains, thisinvolves saving the state within those registers into memory, and thenloading the new state for the destination domain from memory into thoseregisters. For any registers which are not shared between the twodomains, the state need not be saved away, since those registers willnot be accessed by the other domain, and switching between the states isimplemented as a direct result of switching between the secure andnon-secure domains (i.e. the value of the S bit stored in one of theCP15 registers determines which of the non-shared registers are used)

Part of the state that needs to be switched whilst in the monitor modeis the processor configuration data controlling access to memory by theprocessor. Since within each domain there is a different view of thememory, for example the secure domain having access to secure memory forstoring secure data, this secure memory not being accessible from thenon-secure domain, it is clear that the processor configuration datawill need to be changed when switching between the domains.

As illustrated in FIG. 35, this processor configuration data is storedwithin the CP15 registers 34, and in one embodiment these registers areshared between the domains. Hence, when the monitor mode is switchedbetween the secure domain and the non-secure domain, the processorconfiguration data currently in the CP15 registers 34 needs to beswitched out of the CP15 registers into memory, and processorconfiguration data relating to the destination domain needs to be loadedinto the CP15 registers 34.

Since the processor configuration data in the CP15 registers typicallyhas an immediate effect on the access to memory within the system, thenit is clear that these settings would become immediately effective asthey are updated by the processor whilst operating in the monitor mode.However, this is undesirable since it is desirable for the monitor modeto have a static set of processor configuration data that control accessto memory whilst in monitor mode.

Accordingly, as shown in FIG. 35, in one embodiment of the presentinvention monitor mode specific processor configuration data 2000 isprovided, which can be used to override the processor configuration datain the CP15 registers 34 whilst the processor is operating in themonitor mode. This is achieved in the embodiment illustrated in FIG. 35through the provision of a multiplexer 2010 which receives at its inputsboth the processor configuration data stored in the CP15 registers andthe monitor mode specific processor configuration data 2000.Furthermore, the multiplexer 2010 receives a control signal over path2015 indicating whether the processor is currently operating in themonitor mode or not. If the processor is not operating in the monitormode, then the processor configuration data in the CP15 registers 34 isoutput to the system, but in the event that the processor is operatingin the monitor mode, the multiplexer 2010 instead outputs the monitormode specific processor configuration data 2000 to ensure that aconsistent set of processor configuration data is applied while theprocessor is operating in the monitor mode.

The monitor mode specific processor configuration data can be hard-codedwithin the system, thereby ensuring that it cannot be manipulated.However, it is possible that the monitor mode specific processorconfiguration data 2000 could be made programmable without compromisingsecurity, provided that that monitor mode specific processorconfiguration data could only be modified by the processor whenoperating in a secure privileged mode. This would allow some flexibilityas to the setting of the monitor mode specific processor configurationdata. If the monitor mode specific processor configuration data isarranged to be programmable, that configuration data can be stored inany appropriate place within the system, for example within a separateset of registers within the CP15 registers 34.

Typically, the monitor mode specific processor configuration data willbe set so as to provide a very secure environment for operation of theprocessor in the monitor mode. Hence, in the above-described embodiment,the monitor mode specific processor configuration data may specify thatthe memory management unit 30 is disabled whilst the processor isoperating in the monitor mode, thereby disabling any virtual to physicaladdress translation that might otherwise be applied by the memorymanagement unit. In such a situation, the processor will always bearranged to directly issue physical addresses when issuing memory accessrequests, i.e. flat mapping will be employed. This ensures that theprocessor can reliably access memory whilst operating in the monitormode, irrespective of whether any virtual to physical address mappingshave been tampered with.

The monitor mode specific processor configuration data would alsotypically specify that the processor is allowed to access the securedata whilst the processor is operating in the monitor mode. This ispreferably specified by memory permission data taking the form of adomain status bit, this domain status bit having the same value thatwould be specified for the corresponding domain status bit (“S” bit)within the secure processor configuration data. Hence, irrespective ofthe actual value of the domain status bit stored within the CP15registers, that value will get overridden by the domain status bitspecified by the monitor mode specific processor configuration data, toensure that the monitor mode has access to secure data.

The monitor mode specific processor configuration data may also specifyother data used to control access to parts of the memory. For example,the monitor mode specific processor configuration data may specify thatthe cache 38 is not to be used to access data whilst the processor isoperating in the monitor mode.

In the embodiment described above, it has been assumed that all of theCP15 registers containing processor configuration data are sharedbetween the domains. However, in an alternative embodiment, a number ofthe CP15 registers are “banked”, so that for example there are tworegisters for storing a particular item of processor configuration data,one register being accessible in the non-secure domain and containingthe value of that item of processor configuration data for thenon-secure domain, and the other register being accessible in the securedomain and containing the value of that item of processor configurationdata for the secure domain.

One CP15 register that will not be banked is the one containing the “S”bit, but in principle any of the other CP15 registers may be banked ifdesired. In such embodiments, the switching of the processorconfiguration data by the monitor mode involves switching out of anyshared CP15 registers into memory the processor configuration datacurrently in those shared registers, and loading into those shared CP15registers the processor configuration data relating to the destinationdomain. For any banked registers, the processor configuration data neednot be stored away to memory, and instead the switching will occurautomatically as a result of changing the S bit value stored in therelevant shared CP15 register.

As mentioned earlier, the monitor mode processor configuration data willinclude a domain status bit which overrides that stored in the relevantCP15 register but has the same value as that used for the domain statusbit used in the secure domain (i.e. an S bit value of 1 in the abovedescribed embodiments). When a number of the CP15 registers are banked,this means that at least part of the monitor mode specific processorconfiguration data 2000 in FIG. 35 can be derived from the secureprocessor configuration data stored in banked registers since thoseregisters contents are not written out to memory during the switchingprocess.

Hence, as an example, since the monitor mode specific processorconfiguration data will specify a domain status bit to override thatwhich is otherwise used when not in monitor mode, and in preferredembodiments this has the same value as that used in the secure domain,this means that the logic that selects which of the banked CP15registers are accessible will allow the secure banked CP15 registers tobe accessed. By allowing the monitor mode to use this secure processorconfiguration data as the relevant part of the monitor mode specificprocessor configuration data, a saving in resource can be realised sinceit is no longer necessary to provide a separate set of registers forthose items of monitor mode specific processor configuration data.

FIG. 36 is a flow diagram illustrating the steps performed to switch theprocessor configuration data when a transition between one domain andthe other is required. As mentioned previously, an SMI instruction isissued in order to instigate the transition between domains.Accordingly, at step 2020, the issuance of an SMI instruction isawaited. When an SMI instruction is received, the processor proceeds tostep 2030, where the processor begins running the monitor program inmonitor mode, this causing the monitor mode specific processorconfiguration data to be used as a result of the control signal on path2015 into the multiplexer 2010 causing the multiplexer to switch to thatmonitor mode specific processor configuration data. As mentionedearlier, this can be a self-contained set of data, or certain parts ofit may be derived from the secure processor configuration data stored inbanked registers.

Thereafter, at step 2040, the current state is saved from the domainissuing the SMI instruction into memory, this including saving from anyshared CP15 registers the state of the processor configuration datarelevant to that domain. Typically, there will be a portion of memoryset aside for the storage of such state. Then, at step 2050, the statepointer is switched to point to the portion of memory that contains thecorresponding state for the destination domain. Hence, typically, therewill be two portions of memory allocated for storing state information,one allocated for storing the state for the non-secure domain, and oneallocated for storing the state for the secure domain.

Once the state pointer has been switched at step 2050, that state nowpointed to by the state pointer is loaded into the relevant shared CP15registers at step 2060, this including loading in the relevant processorconfiguration data for the destination domain. Thereafter, at step 2070,the monitor program is exited, as is the monitor mode, and the processorthen switches to the required mode in the destination domain.

FIG. 37 illustrates in more detail the operation of the memorymanagement logic 30 of one embodiment of the present invention. Thememory management logic consists of a Memory Management Unit (MMU) 200and a Memory Protection Unit (MPU) 220. Any memory access request issuedby the core 10 that specifies a virtual address will be passed over path234 to the MMU 200, the MMU 200 being responsible for performingpredetermined access control functions, more particularly fordetermining the physical address corresponding to that virtual address,and for resolving access permission rights and determining regionattributes.

The memory system of the data processing apparatus consists of securememory and non-secure memory, the secure memory being used to storesecure data that is intended only to be accessible by the core 10, orone or more other master devices, when that core or other device isoperating in a secure mode of operation, and is accordingly operating inthe secure domain.

In the embodiment of the present invention illustrated in FIG. 37, thepolicing of attempts to access secure data in secure memory byapplications running on the core 10 in non-secure mode is performed bythe partition checker 222 within the MPU 220, the MPU 220 being managedby the secure operating system, also referred to herein as the securekernel.

In accordance with preferred embodiments of the present invention anon-secure page table 58 is provided within non-secure memory, forexample within a non-secure memory portion of external memory 56, and isused to store for each of a number of non-secure memory regions definedwithin that page table a corresponding descriptor. The descriptorcontains information from which the MMU 200 can derive access controlinformation required to enable the MMU to perform the predeterminedaccess control functions, and accordingly in the embodiment describedwith reference to FIG. 37 will provide information about the virtual tophysical address mapping, the access permission rights, and any regionattributes.

Furthermore, in accordance with the preferred embodiments of the presentinvention, at least one secure page table 58 is provided within securememory of the memory system, for example within a secure part ofexternal memory 56, which again for a number of memory regions definedwithin the table provides an associated descriptor. When the processoris operating in a non-secure mode, the non-secure page table will bereferenced in order to obtain relevant descriptors for use in managingmemory accesses, whilst when the processor is operating in secure mode,descriptors from the secure page table will be used.

The retrieval of descriptors from the relevant page table into the MMUproceeds as follows. In the event that the memory access request issuedby the core 10 specifies a virtual address, a lookup is performed in themicro-TLB 206 which stores for one of a number of virtual addressportions the corresponding physical address portions obtained from therelevant page table. Hence, the micro-TLB 206 will compare a certainportion of the virtual address with the corresponding virtual addressportion stored within the micro-TLB to determine if there is a match.The portion compared will typically be some predetermined number of mostsignificant bits of the virtual address, the number of bits beingdependent on the granularity of the pages within the page table 58. Thelookup performed within the micro-TLB 206 will typically be relativelyquick, since the micro-TLB 206 will only include a relatively few numberof entries, for example eight entries

In the event that there is no match found within the micro-TLB 206, thenthe memory access request is passed over path 242 to the main TLB 208which contains a number of descriptors obtained from the page tables. Aswill be discussed in more detail later, descriptors from both thenon-secure page table and the secure page table can co-exist within themain TLB 208, and each entry within the main TLB has a correspondingflag (referred to herein as a domain flag) which is settable to indicatewhether the corresponding descriptor in that entry has been obtainedfrom a secure page table or a non-secure page table. In any embodimentswhere all secure modes of operation specify physical addresses directlywithin their memory access requests, it will be appreciated that therewill not be a need for such a flag within the main TLB, as the main TLBwill only store non-secure descriptors.

Within the main TLB 208, a similar lookup process is performed todetermine whether the relevant portion of the virtual address issuedwithin the memory access request corresponds with any of the virtualaddress portions associated with descriptors in the main TLB 208 thatare relevant to the particular mode of operation. Hence, if the core 10is operating in non-secure mode, only those descriptors within the mainTLB 208 which have been obtained from the non-secure page table will bechecked, whereas if the core 10 is operating in secure mode, only thedescriptors within the main TLB that have been obtained from the securepage table will be checked.

If there is a hit within the main TLB as a result of that checkingprocess, then the access control information is extracted from therelevant descriptor and passed back over path 242. In particular, thevirtual address portion and the corresponding physical address portionof the descriptor will be routed over path 242 to the micro-TLB 206, forstorage in an entry of the micro-TLB, the access permission rights willbe loaded into the access permission logic 202, and the regionattributes will be loaded into the region attribute logic 204. Theaccess permission logic 202 and region attribute logic 204 may beseparate to the micro-TLB, or may be incorporated within the micro-TLB.

At this point, the MMU 200 is then able to process the memory accessrequest since there will now be a hit within the micro-TLB 206.Accordingly, the micro-TLB 206 will generate the physical address, whichcan then be output over path 238 onto the system bus 40 for routing tothe relevant memory, this being either on-chip memory such as the TCM36, cache 38, etc, or one of the external memory units accessible viathe external bus interface 42. At the same time, the access permissionlogic 202 will determine whether the memory access is allowed, and willissue an abort signal back to the core 10 over path 230 if it determinesthat the core is not allowed to access the specified memory location inits current mode of operation. For example, certain portions of memory,whether in secure memory or non-secure memory, may be specified as onlybeing accessible by the core when that core is operating in supervisormode, and accordingly if the core 10 is seeking to access such a memorylocation when in, for example, user mode, the access permission logic202 will detect that the core 10 does not currently have the appropriateaccess rights, and will issue the abort signal over path 230. This willcause the memory access to be aborted. Finally, the region attributelogic 204 will determine the region attributes for the particular memoryaccess, such as whether the access is cacheable, bufferable, etc, andwill issue such signals over path 232, where they will then be used todetermine whether the data the subject of the memory access request canbe cached, for example within the cache 38, whether in the event of awrite access the write data can be buffered, etc.

In the event that there was no hit within the main TLB 208, then thetranslation table walk logic 210 is used to access the relevant pagetable 58 in order to retrieve the required descriptor over path 248, andthen pass that descriptor over path 246 to the main TLB 208 for storagetherein. The base address for both the non-secure page table and thesecure page table will be stored within registers of CP15 34, and thecurrent domain in which the processor core 10 is operating, i.e. securedomain or non-secure domain, will also be set within a register of CP15,that domain status register being set by the monitor mode when atransition occurs between the non-secure domain and the secure domain,or vice versa. The content of the domain status register will bereferred to herein as the domain bit. Accordingly, if a translationtable walk process needs to be performed, the translation table walklogic 210 will know in which domain the core 10 is executing, andaccordingly which base address to use to access the relevant table. Thevirtual address is then used as an offset to the base address in orderto access the appropriate entry within the appropriate page table inorder to obtain the required descriptor.

Once the descriptor has been retrieved by the translation table walklogic 210, and placed within the main TLB 208, a hit will then beobtained within the main TLB, and the earlier described process will beinvoked to retrieve the access control information, and store it withinthe micro-TLB 206, the access permission logic 202 and the regionattribute logic 204. The memory access can then be actioned by the MMU200.

As mentioned earlier, in preferred embodiments, the main TLB 208 canstore descriptors from both the secure page table and the non-securepage table, but the memory access requests are only processed by the MMU200 once the relevant information is stored within the micro-TLB 206. Inpreferred embodiments, the transfer of information between the main TLB208 and the micro-TLB 206 is monitored by the partition checker 222located within the MPU 220 to ensure that, in the event that the core 10is operating in a non-secure mode, no access control information istransferred into the micro-TLB 206 from descriptors in the main TLB 208if that would cause a physical address to be generated which is withinsecure memory.

The memory protection unit is managed by the secure operating system,which is able to set within registers of the CP15 34 partitioninginformation defining the partitions between the secure memory and thenon-secure memory. The partition checker 222 is then able to referencethat partitioning information in order to determine whether accesscontrol information is being transferred to the micro-TLB 206 whichwould allow access by the core 10 in a non-secure mode to secure memory.More particularly, in preferred embodiments, when the core 10 isoperating in a non-secure mode of operation, as indicated by the domainbit set by the monitor mode within the CP15 domain status register, thepartition checker 222 is operable to monitor via path 244 any physicaladdress portion seeking to be retrieved into the micro-TLB 206 from themain TLB 208 and to determine whether the physical address that wouldthen be produced for the virtual address based on that physical addressportion would be within the secure memory. In such circumstances, thepartition checker 222 will issue an abort signal over path 230 to thecore 10 to prevent the memory access from taking place.

It will be appreciated that in addition the partition checker 222 can bearranged to actually prevent that physical address portion from beingstored in the micro-TLB 206 or alternatively the physical addressportion may still be stored within the micro-TLB 206, but part of theabort process would be to remove that incorrect physical address portionfrom the micro-TLB 206, for example by flushing the micro-TLB 206.

Whenever the core 10 changes via the monitor mode between a non-securemode and a secure mode of operation, the monitor mode will change thevalue of the domain bit within the CP15 domain status register toindicate the domain into which the processor's operation is changing. Aspart of the transfer process between domains, the micro-TLB 206 will beflushed and accordingly the first memory access following a transitionbetween secure domain and non-secure domain will produce a miss in themicro-TLB 206, and require access information to be retrieved from mainTLB 208, either directly, or via retrieval of the relevant descriptorfrom the relevant page table.

By the above approach, it will be appreciated that the partition checker222 will ensure that when the core is operating in the non-securedomain, an abort of a memory access will be generated if an attempt ismade to retrieve into the micro-TLB 206 access control information thatwould allow access to secure memory.

If in any modes of operation of the processor core 10, the memory accessrequest is arranged to specify directly a physical address, then in thatmode of operation the MMU 200 will be disabled, and the physical addresswill pass over path 236 into the MPU 220. In a secure mode of operation,the access permission logic 224 and the region attribute logic 226 willperform the necessary access permission and region attribute analysisbased on the access permission rights and region attributes identifiedfor the corresponding regions within the partitioning informationregisters within the CP15 34. If the secure memory location seeking tobe accessed is within a part of secure memory only accessible in acertain mode of operation, for example secure privileged mode, then anaccess attempt by the core in a different mode of operation, for examplea secure user mode, will cause the access permission logic 224 togenerate an abort over path 230 to the core in the same way that theaccess permission logic 202 of the MMU would have produced an abort insuch circumstances. Similarly, the region attribute logic 226 willgenerate cacheable and bufferable signals in the same way that theregion attribute logic 204 of the MMU would have generated such signalsfor memory access requests specified with virtual addresses. Assumingthe access is allowed, the access request will then proceed over path240 onto the system bus 40, from where it is routed to the appropriatememory unit.

For a non-secure access where the access request specifies a physicaladdress, the access request will be routed via path 236 into thepartition checker 222, which will perform partition checking withreference to the partitioning information in the CP15 registers 34 inorder to determine whether the physical address specifies a locationwithin secure memory, in which event the abort signal will again begenerated over path 230.

The above described processing of the memory management logic will nowbe described in more detail with reference to the flow diagrams of FIGS.39 and 40. FIG. 39 illustrates the situation in which the programrunning on the core 10 generates a virtual address, as indicated by step300. The relevant domain bit within the CP15 domain status register 34as set by the monitor mode will indicate whether the core is currentlyrunning in a secure domain or the non-secure domain. In the event thatthe core is running in the secure domain, the process branches to step302, where a lookup is performed within the micro-TLB 206 to see if therelevant portion of the virtual address matches with one of the virtualaddress portions within the micro-TLB. In the event of a hit at step302, the process branches directly to step 312, where the accesspermission logic 202 performs the necessary access permission analysis.At step 314, it is then determined whether there is an access permissionviolation, and if there is the process proceeds to step 316, where theaccess permission logic 202 issues an abort over path 230. Otherwise, inthe absence of such an access permission violation, the process proceedsfrom step 314 to step 318, where the memory access proceeds. Inparticular the region attribute logic 204 will output the necessarycacheable and bufferable attributes over path 232, and the micro-TLB 206will issue the physical address over path 238 as described earlier.

If at step 302 there is a miss in the micro-TLB, then a lookup processis performed within the main TLB 208 at step 304 to determine whetherthe required secure descriptor is present within the main TLB. If not,then a page table walk process is executed at step 306, whereby thetranslation table walk logic 210 obtains the required descriptor fromthe secure page table, as described earlier with reference to FIG. 37.The process then proceeds to step 308, or proceeds directly to step 308from step 304 in the event that the secure descriptor was already in themain TLB 208.

At step 308, it is determined that the main TLB now contains the validtagged secure descriptor, and accordingly the process proceeds to step310, where the micro-TLB is loaded with the sub-section of thedescriptor that contains the physical address portion. Since the core 10is currently running in secure mode, there is no need for the partitionchecker 222 to perform any partition checking function.

The process then proceeds to step 312 where the remainder of the memoryaccess proceeds as described earlier.

In the event of a non-secure memory access, the process proceeds fromstep 300 to step 320, where a lookup process is performed in themicro-TLB 206 to determine whether the corresponding physical addressportion from a non-secure descriptor is present. If it is, then theprocess branches directly to step 336, where the access permissionrights are checked by the access permission logic 202. It is importantto note at this point that if the relevant physical address portion iswithin the micro-TLB, it is assumed that there is no security violation,since the partition checker 222 effectively polices the informationprior to it being stored within the micro-TLB, such that if theinformation is within the micro-TLB, it is assumed to be the appropriatenon-secure information. Once the access permission has been checked atstep 336, the process proceeds to step 338, where it is determinedwhether there is any violation, in which event an access permissionfault abort is issued at step 316. Otherwise, the process proceeds tostep 318 where the remainder of the memory access is performed, asdiscussed earlier.

In the event that at step 320 no hit was located in the micro-TLB, theprocess proceeds to step 322, where a lookup process is performed in themain TLB 208 to determine whether the relevant non-secure descriptor ispresent. If not, a page table walk process is performed at step 324 bythe translation table walk logic 210 in order to retrieve into the mainTLB 208 the necessary non-secure descriptor from the non-secure pagetable. The process then proceeds to step 326, or proceeds directly tostep 326 from step 322 in the event that a hit within the main TLB 208occurred at step 322. At step 326, it is determined that the main TLBnow contains the valid tagged non-secure descriptor for the virtualaddress in question, and then at step 328 the partition checker 222checks that the physical address that would be generated from thevirtual address of the memory access request (given the physical addressportion within the descriptor) will point to a location in non-securememory. If not, i.e. if the physical address points to a location insecure memory, then at step 330 it is determined that there is asecurity violation, and the process proceeds to step 332 where asecure/non-secure fault abort is issued by the partition checker 222.

If however the partition checker logic 222 determines that there is nosecurity violation, the process proceeds to step 334, where themicro-TLB is loaded with the sub-section of the relevant descriptor thatcontains the physical address portion, whereafter at step 336 the memoryaccess is then processed in the earlier described manner.

The handling of memory access requests that directly issue a physicaladdress will now be described with reference to FIG. 40. As mentionedearlier, in this scenario, the MMU 200 will be deactivated, thispreferably being achieved by the setting within a relevant register ofthe CP15 registers an MMU enable bit, this setting process beingperformed by the monitor mode. Hence, at step 350 the core 10 willgenerate a physical address which will be passed over path 236 into theMPU 220. Then, at step 352, the MPU checks permissions to verify thatthe memory access being requested can proceed given the current mode ofoperation, i.e. user, supervisor, etc. Furthermore, if the core isoperating in non-secure mode, the partition checker 222 will also checkat step 352 whether the physical address is within non-secure memory.Then, at step 354, it is determined whether there is a violation, i.e.whether the access permission processing has revealed a violation, or ifin non-secure mode, the partition checking process has identified aviolation. If either of these violations occurs, then the processproceeds to step 356 where an access permission fault abort is generatedby the MPU 220. It will be appreciated that in certain embodiments theremay be no distinction between the two types of abort, whereas inalternative embodiments the abort signal could indicate whether itrelates to an access permission fault or a security fault.

If no violation is detected at step 354, the process proceeds to step358, where the memory access to the location identified by the physicaladdress occurs.

In preferred embodiments only the monitor mode is arranged to generatephysical addresses directly, and accordingly in all other cases the MMU200 will be active and generation of the physical address from thevirtual address of the memory access request will occur as describedearlier.

FIG. 38 illustrates an alternative embodiment of the memory managementlogic in a situation where all memory access requests specify a virtualaddress, and accordingly physical addresses are not generated directlyin any of the modes of operation. In this scenario, it will beappreciated that a separate MPU 220 is not required, and instead thepartition checker 222 can be incorporated within the MMU 200. Thischange aside, the processing proceeds in exactly the same manner asdiscussed earlier with reference to FIGS. 37 and 39.

It will be appreciated that various other options are also possible. Forexample, assuming memory access requests may be issued by both secureand non-secure modes specifying virtual addresses, two MMUs could beprovided, one for secure access requests and one for non-secure accessrequests, i.e. MPU 220 in FIG. 37 could be replaced by a complete MMU.In such cases, the use of flags with the main TLB of each MMU to definewhether descriptors are secure or non-secure would not be needed, as oneMMU would store non-secure descriptors in its main TLB, and the otherMMU would store secure descriptors in its main TLB. Of course, thepartition checker would still be required to check whether an access tosecure memory is being attempted whilst the core is in the non-securedomain.

If, alternatively, all memory access requests directly specifiedphysical addresses, an alternative implementation might be to use twoMPUs, one for secure access requests and one for non-secure accessrequests. The MPU used for non-secure access requests would have itsaccess requests policed by a partition checker to ensure accesses tosecure memory are not allowed in non-secure modes.

As a further feature which may be provided with either the FIG. 37 orthe FIG. 38 arrangement, the partition checker 222 could be arranged toperform some partition checking in order to police the activities of thetranslation table walk logic 210. In particular, if the core iscurrently operating in the non-secure domain, then the partition checker222 could be arranged to check, whenever the translation table walklogic 210 is seeking to access a page table, that it is accessing thenon-secure page table rather than the secure page table. If a violationis detected, an abort signal would preferably be generated. Since thetranslation table walk logic 210 typically performs the page tablelookup by combining a page table base address with certain bits of thevirtual address issued by the memory access request, this partitionchecking may involve, for example, checking that the translation tablewalk logic 210 is using a base address of a non-secure page table ratherthan a base address of a secure page table.

FIG. 41 illustrates schematically the process performed by the partitionchecker 222 when the core 10 is operating in a non-secure mode. It willbe appreciated that in normal operation a descriptor obtained from thenon-secure page table should describe a page mapped in non-secure memoryonly. However, in the case of software attack, the descriptor may betampered with in order that it now describes a section that containsboth non-secure and secure regions of memory. Hence, considering theexample in FIG. 41, the corrupted non-secure descriptor may cover a pagethat includes non-secure areas 370, 372, 374 and secure areas 376, 378,380. If the virtual address issued as part of the memory access requestwould then correspond to a physical address in a secure memory region,for example the secure memory region 376 as illustrated in FIG. 41, thenthe partition checker 222 is arranged to generate an abort to preventthat access taking place. Hence, even though the non-secure descriptorhas been corrupted in an attempt to gain access to secure memory, thepartition checker 222 prevents the access taking place. In contrast, ifthe physical address that would be derived using this descriptorcorresponds to a non-secure memory region, for example region 374 asillustrated in FIG. 41, then the access control information loaded intothe micro-TLB 206 merely identifies this non-secure region 374. Hence,accesses within that non-secure memory region 374 can occur but noaccesses into any of the secure regions 376, 378 or 380 can occur. Thus,it can be seen that even though the main TLB 208 may contain descriptorsfrom the non-secure page table that have been tampered with, themicro-TLB will only contain physical address portions that will enableaccess to non-secure memory regions.

As described earlier, in embodiments where both non-secure modes andsecure modes may generate memory access requests specifying virtualaddresses, then the memory preferably comprises both a non-secure pagetable within non-secure memory, and a secure page table within securememory. When in non-secure mode, the non-secure page table will bereferenced by the translation table walk logic 210, whereas when insecure mode, the secure page table will be referenced by the translationtable walk logic 210. FIG. 42 illustrates these two page tables. Asshown in FIG. 42, the non-secure memory 390, which may for example bewithin external memory 56 of FIG. 1, includes within it a non-securepage table 395 specified in a CP15 register 34 by reference to a baseaddress 397. Similarly, within secure memory 400, which again may bewithin the external memory 56 of FIG. 1, a corresponding secure pagetable 405 is provided which is specified within a duplicate CP15register 34 by a secure page table base address 407. Each descriptorwithin the non-secure page table 395 will point to a correspondingnon-secure page in non-secure memory 390, whereas each descriptor withinthe secure page table 405 will define a corresponding secure page in thesecure memory 400. In addition, as will be described in more detaillater, it is possible for certain areas of memory to be shared memoryregions 410, which are accessible by both non-secure modes and securemodes.

FIG. 43 illustrates in more detail the lookup process performed withinthe main TLB 208 in accordance with preferred embodiments. As mentionedearlier, the main TLB 208 includes a domain flag 425 which identifieswhether the corresponding descriptor 435 is from the secure page tableor the non-secure page table. This ensures that when a lookup process isperformed, only the descriptors relevant to the particular domain inwhich the core 10 is operating will be checked. FIG. 43 illustrates anexample where the core is running in the secure domain, also referred toas the secure world. As can be seen from FIG. 43, when a main TLB 208lookup is performed, this will result in the descriptors 440 beingignored, and only the descriptors 445 being identified as candidates forthe lookup process.

In accordance with preferred embodiments, an additional process ID flag430, also referred to herein as the ASID flag, is provided to identifydescriptors from process specific page tables. Accordingly, processesP1, P2 and P3 may each have corresponding page tables provided withinthe memory, and further may have different page tables for non-secureoperation and secure operation. Further, it will be appreciated that theprocesses P1, P2, P3 in the secure domain may be entirely separateprocesses to the processes P1, P2, P3 in the non-secure domain.Accordingly, as shown in FIG. 43, in addition to checking the domainwhen a main TLB lookup 208 is required, the ASID flag is also checked.

Accordingly, in the example in FIG. 43 where in the secure domain,process P1 is executing, this lookup process identifies just the twoentries 450 within the main TLB 208, and a hit or miss is then generateddependent on whether the virtual address portion within those twodescriptors matches with the corresponding portion of the virtualaddress issued by the memory access request. If it does, then therelevant access control information is extracted and passed to themicro-TLB 206, the access permission logic 202 and the region attributelogic 204. Otherwise, a miss occurs, and the translation table walklogic 210 is used to retrieved into the main TLB 208 the requireddescriptor from the page table provided for secure process P1. As willbe appreciated by those skilled in the art, there are many techniquesfor managing the content of a TLB, and accordingly when a new descriptoris retrieved for storage in the main TLB 208, and the main TLB isalready full, any one of a number of known techniques may be used todetermine which descriptor to evict from the main TLB to make room forthe new descriptor, for example least recently used approaches, etc.

It will be appreciated that the secure kernel used in secure modes ofoperation may be developed entirely separately to the non-secureoperating system. However, in certain cases the secure kernel and thenon-secure operating system development may be closely linked, and insuch situations it may be appropriate to allow secure applications touse the non-secure descriptors. Indeed, this will allow the secureapplications to have direct access to non-secure data (for sharing) byknowing only the virtual address. This of course presumes that thesecure virtual mapping and the non-secure virtual mapping are exclusivefor a particular ASID. In such scenarios, the tag introduced previously(i.e. the domain flag) to distinguish between secure and non-securedescriptors will not be needed. The lookup in the TLB is instead thenperformed with all of descriptors available.

In preferred embodiments, the choice between this configuration of themain TLB, and the earlier described configuration with separate secureand non-secure descriptors, can be set by a particular bit providedwithin the CP15 control registers. In preferred embodiments, this bitwould only be set by the secure kernel.

In embodiments where the secure application were directly allowed to usea non-secure virtual address, it would be possible to make a non-securestack pointer available from the secure domain. This can be done bycopying a non-secure register value identifying the non-secure stackpointer into a dedicated register within the CP15 registers 34. Thiswill then enable the non-secure application to pass parameters via thestack according to a scheme understood by the secure application.

As described earlier, the memory may be partitioned into non-secure andsecure parts, and this partitioning is controlled by the secure kernelusing the CP15 registers 34 dedicated to the partition checker 222. Thebasic partitioning approach is based on region access permissions asdefinable in typical MPU devices. Accordingly, the memory is dividedinto regions, and each region is preferably defined with its baseaddress, size, memory attributes and access permissions. Further, whenoverlapping regions are programmed, the attributes of the upper regiontake highest priority. Additionally, in accordance with preferredembodiments of the present invention, a new region attribute is providedto define whether that corresponding region is in secure memory or innon-secure memory. This new region attribute is used by the securekernel to define the part of the memory that is to be protected assecure memory.

At the boot stage, a first partition is performed as illustrated in FIG.44. This initial partition will determine the amount of memory 460allocated to the non-secure world, non-secure operating system andnon-secure applications. This amount corresponds to the non-secureregion defined in the partition. This information will then be used bythe non-secure operating system for its memory management. The rest ofthe memory 462, 464, which is defined as secure, is unknown by thenon-secure operating system. In order to protect integrity in thenon-secure world, the non-secure memory may be programmed with accesspermission for secure privileged modes only. Hence, secure applicationswill not corrupt the non-secure ones. As can be seen from FIG. 44,following this boot stage partition, memory 460 is available for use bythe non-secure operating system, memory 462 is available for use by thesecure kernel, and memory 464 is available for use by secureapplications.

Once the boot stage partition has been performed, memory mapping of thenon-secure memory 460 is handled by the non-secure operating systemusing the MMU 200, and accordingly a series of non-secure pages can bedefined in the usual manner. This is illustrated in FIG. 45.

If a secure application needs to share memory with a non-secureapplication, the secure kernel can change the rights of a part of thememory to transfer artificially data from one domain to the other.Hence, as illustrated in FIG. 46, the secure kernel can, after checkingthe integrity of a non-secure page, change the rights of that page suchthat it becomes a secure page 466 accessible as shared memory.

When the partition of the memory is changed, the micro-TLB 206 needs tobe flushed. Hence, in this scenario, when a non-secure accesssubsequently occurs, a miss will occur in the micro-TLB 206, andaccordingly a new descriptor will be loaded from the main TLB 208. Thisnew descriptor will subsequently be checked by the partition checker 222of the MPU as it is attempted to retrieve it into the micro-TLB 206, andso will be consistent with the new partition of the memory.

In preferred embodiments, the cache 38 is virtual-indexed andphysical-tagged. Accordingly, when an access is performed in the cache38, a lookup will have already been performed in the micro-TLB 206first, and accordingly access permissions, especially secure andnon-secure permissions, will have been checked. Accordingly, secure datacannot be stored in the cache 38 by non-secure applications. Access tothe cache 38 is under the control of the partition checking performed bythe partition checker 222, and accordingly no access to secure data canbe performed in non-secure mode.

However, one problem that could occur would be for an application in thenon-secure domain to be able to use the cache operations register toinvalidate, clean, or flush the cache. It needs to be ensured that suchoperations could not affect the security of the system. For example, ifthe non-secure operating system were to invalidate the cache 38 withoutcleaning it, any secure dirty data must be written to the externalmemory before being replaced. Preferably, secure data is tagged in thecache, and accordingly can be dealt with differently if desired.

In preferred embodiments, if an “invalidate line by address” operationis executed by a non-secure program, the physical address is checked bythe partition checker 222, and if the cache line is a secure cache line,the operation becomes a “clean and invalidate” operation, therebyensuring that the security of the system is maintained. Further, inpreferred embodiments, all “invalidate line by index” operations thatare executed by a non-secure program become “clean and invalidate byindex” operations. Similarly, all “invalidate all” operations executedby a non-secure program become “clean and invalidate all” operations.

Furthermore, with reference to FIG. 1, any access to the TCM 36 by theDMA 32 is controlled by the micro-TLB 206. Hence, when the DMA 32performs a lookup in the TLB to translate its virtual address into aphysical one, the earlier described flags that were added in the mainTLB allow the required security checking to be performed, just as if theaccess request had been issued by the core 10. Further, as will bediscussed later, a replica partition checker is coupled to the externalbus 70, preferably being located within the arbiter/decoder block 54,such that if the DMA 32 directly accesses the memory coupled to theexternal bus 70 via the external bus interface 42, the replica partitionchecker connected to that external bus checks the validity of theaccess. Furthermore, in certain preferred embodiments, it would bepossible to add a bit to the CP15 registers 34 to define whether the DMAcontroller 32 can be used in the non-secure domain, this bit only beingallowed to be set by the secure kernel when operating in a privilegedmode.

Considering the TCM 36, if secure data is to placed within the TCM 36,this must be handled with care. As an example, a scenario could beimagined where the non-secure operating system programs the physicaladdress range for the TCM memory 36 so that it overlaps an externalsecure memory part. If the mode of operation then changes to a securemode, the secure kernel may cause data to be stored in that overlappingpart, and typically the data would be stored in the TCM 36, since theTCM 36 will typically have a higher priority than the external memory.If the non-secure operating system were then to change the setting ofthe physical address space for the TCM 36 so that the previous secureregion is now mapped in a non-secure physical area of memory, it will beappreciated that the non-secure operating system can then access thesecure data, since the partition checker will see the area as non-secureand won't assert an abort. Hence, to summarise, if the TCM is configuredto act as normal local RAM and not as SmartCache, it may be possible forthe non-secure operating system to read secure world data if it can movethe TCM base register to non-secure physical address.

To prevent this kind of scenario, a control bit is in preferredembodiments provided within the CP15 registers 34 which is onlyaccessible in secure privilege modes of operation, and provides twopossible configurations. In a first configuration, this control bit isset to “1”, in which event the TCM can only be controlled by the secureprivilege modes. Hence, any non-secure access attempted to the TCMcontrol registers within the CP15 34 will cause an undefined instructionexception to be entered. Thus, in this first configuration, both securemodes and non-secure modes can use the TCM, but the TCM is controlledonly by the secure privilege mode. In the second configuration, thecontrol bit is set to “0”, in which event the TCM can be controlled bythe non-secure operating system. In this case, the TCM is only used bythe non-secure applications. No secure data can be stored to or loadedfrom the TCM. Hence, when a secure access is performed, no look-up isperformed within the TCM to see if the address matched the TCM addressrange.

By default, it is envisaged that the TCM would be used only bynon-secure operating systems, as in this scenario the non-secureoperating system would not need to be changed.

As mentioned earlier, in addition to the provision of the partitionchecker 222 within the MPU 220, preferred embodiments of the presentinvention also provide an analogous partition checking block coupled tothe external bus 70, this additional partition checker being used topolice accesses to memory by other master devices, for example thedigital signal processor (DSP) 50, the DMA controller 52 coupleddirectly to the external bus, the DMA controller 32 connectable to theexternal bus via the external bus interface 42, etc. Indeed in someembodiments, as will be discussed later, it is possible to solely have apartition checking block coupled to the external (or device) bus, andnot to provide a partition checker as part of the memory managementlogic 30. In some such embodiments, a partition checker may optionallybe provided as part of the memory management logic 30, in such instancesthis partition checker be considered as a further partition checkerprovided in addition to the one coupled to the device bus.

As mentioned earlier, the entire memory system can consist of severalmemory units, and a variety of these may exist on the external bus 70,for example the external memory 56, boot ROM 44, or indeed buffers orregisters 48, 62, 66 within peripheral devices such as the screen driver46, I/O interface 60, key storage unit 64, etc. Furthermore, differentparts of the memory system may need to be defined as secure memory, forexample it may be desired that the key buffer 66 within the key storageunit 64 should be treated as secure memory. If an access to such securememory were to be attempted by a device coupled to the external bus,then it is clear that the earlier described memory management logic 30provided within the chip containing the core 10 would not be able topolice such accesses.

FIG. 47 illustrates how the additional partition checker 492 coupled tothe external bus, also referred to herein as the device bus, is used.The external bus would typically be arranged such that whenever memoryaccess requests were issued onto that external bus by devices, such asdevices 470, 472, those memory access requests would also includecertain signals on the external bus defining the mode of operation, forexample privileged, user, etc. In accordance with preferred embodimentsof the present invention the memory access request also involvesissuance of a domain signal onto the external bus to identify whetherthe device is operating in secure mode or non-secure mode. This domainsignal is preferably issued at the hardware level, and in preferredembodiments a device capable of operating in secure or non-securedomains will include a predetermined pin for outputting the domainsignal onto path 490 within the external bus. For the purpose ofillustration, this path 490 is shown separately to the other signalpaths 488 on the external bus.

This domain signal, also referred to herein as the “S bit” will identifywhether the device issuing the memory access request is operating insecure domain or non-secure domain, and this information will bereceived by the partition checker 492 coupled to the external bus. Thepartition checker 492 will also have access to the partitioninginformation identifying which regions of memory are secure ornon-secure, and accordingly can be arranged to only allow a device tohave access to a secure part of memory if the S bit is asserted toidentify a secure mode of operation.

By default, it is envisaged that the S bit would be unasserted, andaccordingly a pre-existing non-secure device, such as device 472illustrated in FIG. 47, would not output an asserted S bit andaccordingly would never be granted access by the partition checker 492to any secure parts of memory, whether that be within registers orbuffers 482, 486 within the screen driver 480, the I/O interface 484, orwithin the external memory 474.

For the sake of illustration, the arbiter block 476 used to arbitratebetween memory access requests issued by master devices, such as devices470, 472, is illustrated separately to the decoder 478 used to determinethe appropriate memory device to service the memory access request, andseparate from the partition checker 492. However, it will be appreciatedthat one or more of these components may be integrated within the sameunit if desired.

FIG. 48 illustrates an alternative embodiment, in which a partitionchecker 492 is not provided, and instead each memory device 474, 480,484 is arranged to police its own memory access dependent on the valueof the S bit. Accordingly, if device 470 were to assert a memory accessrequest in non-secure mode to a register 482 within the screen driver480 that was marked as secure memory, then the screen driver 480 woulddetermine that the S bit was not asserted, and would not process thememory access request. Accordingly, it is envisaged that withappropriate design of the various memory devices, it may be possible toavoid the need for a partition checker 492 to be provided separately onthe external bus.

In the above description of FIGS. 47 and 48, the “S bit” is said toidentify whether the device issuing the memory access request isoperating in secure domain or non-secure domain. Viewed another way,this S bit can be seen to indicate whether the memory access requestpertains to the secure domain or the non-secure domain.

In the embodiments described with reference to FIGS. 37 and 38, a singleMMU, along with a single set of page tables, was used to perform virtualto physical address translation. With such an approach, the physicaladdress space would typically be segmented between non-secure memory andsecure memory in a simplistic manner such as illustrated in FIG. 49.Here a physical address space 2100 includes an address space starting ataddress zero and extending to address Y for one of the memory unitswithin the memory system, for example the external memory 56. For eachmemory unit, the addressable memory would typically be sectioned intotwo parts, a first part 2110 being allocated as non-secure memory and asecond part 2120 being allocated as secure memory.

With such an approach, it will be appreciated that there are certainphysical addresses which are not accessible to particular domain(s), andthese gaps would be apparent to the operating system used in thosedomain(s). Whilst the operating system used in the secure domain willhave knowledge of the non-secure domain, and hence will not be concernedby this, the operating system in the non-secure domain should ideallynot need to have any knowledge of the presence of the secure domain, butinstead should operate as though the secure domain were not there.

As a further issue, it will be appreciated that a non-secure operatingsystem will see its address space for the external memory as starting ataddress zero and extending to address X, and the non-secure operatingsystem need know nothing about the secure kernel and in particular thepresence of the secure memory extending from address X+1 up to addressY. In contrast, the secure kernel will not see its address spacebeginning at address zero, which is not what an operating system wouldtypically expect.

One embodiment which alleviates the above concerns by allowing thesecure memory regions to be completely hidden from the non-secureoperating system's view of its physical address space, and by enablingboth the secure kernel in the secure domain and the non-secure operatingsystem in the non-secure domain to see their address space for externalmemory as beginning at address zero is illustrated schematically in FIG.51. Here, the physical address space 2200 is able to be segmented at thepage level into either secure or non-secure segments. In the exampleillustrated in FIG. 51, the address space for the external memory isshown as being segmented into four sections 2210, 2220, 2230, and 2240,consisting of two secure memory regions and two non-secure memoryregions.

Rather than transitioning between the virtual address space and thephysical address space via a single page table conversion, two separatelayers of address translation are performed with reference to a firstpage table and a second page table, thereby enabling the concept of anintermediate address space to be introduced which can be arrangeddifferently, dependent on whether the processor is in the secure domainor the non-secure domain. More particularly, as illustrated in FIG. 51,the two secure memory regions 2210 and 2230 in the physical addressspace can be mapped to the single region 2265 in the intermediateaddress space for the secure domain by use of descriptors providedwithin a secure page table within the set of page tables 2250. As far asthe operating system running on the processor is concerned, it will seethe intermediate address space as being the physical address space, andwill use an MMU to convert virtual addresses into intermediate addresseswithin the intermediate address space.

Similarly, an intermediate address space 2270 can be configured for thenon-secure domain, in which the two non-secure memory regions 2220 and2240 in the physical address space are mapped to the non-secure region2275 in the intermediate address space for the non-secure domain viacorresponding descriptors in a non-secure page table within the set ofpage tables 2250.

In one embodiment, the translation of virtual addresses into physicaladdresses via intermediate addresses is handled using two separate MMUsas illustrated in FIG. 50A. Each of the MMUs 2150 and 2170 in FIG. 50Acan be considered as being constructed in a similar manner to the MMU200 shown in FIG. 37, but for the sake of ease of illustration certaindetail has been omitted in FIG. 50A.

The first MMU 2150 includes a micro-TLB 2155, a main TLB 2160 andtranslation table walk logic 2165, while similarly the second MMU 2170includes a micro-TLB 2175, a main TLB 2180 and translation table walklogic 2185. The first MMU may be controlled by the non-secure operatingsystem when the processor is operating in the non-secure domain, or bythe secure kernel when the processor is operating in the secure domain.However, in preferred embodiments, the second MMU is only controllableby the secure kernel, or by the monitor program.

When the processor core 10 issues a memory access request, it will issuea virtual address over path 2153 to the micro-TLB 2155. The micro-TLB2155 will store for a number of virtual address portions correspondingintermediate address portions retrieved from descriptors stored withinthe main TLB 2160, the descriptors in the main TLB 2160 having beenretrieved from page tables in a first set of page tables associated withthe first MMU 2150. If a hit is detected within the micro-TLB 2155, thenthe micro-TLB 2155 can issue over path 2157 an intermediate addresscorresponding to the virtual address received over path 2153. If thereis no hit within the micro-TLB 2155, then the main TLB 2160 will bereferenced to see if a hit is detected within the main TLB, and if sothe relevant virtual address portion and corresponding intermediateaddress portion will be retrieved into the micro-TLB 2155, whereafterthe intermediate address can be issued over path 2157.

If there is no hit within the micro-TLB 2155 and the main TLB 2160, thenthe translation table walk logic 2165 is used to issue a request for therequired descriptor from a predetermined page table in a first set ofpage tables accessible by the first MMU 2150. Typically, there may bepage tables associated with individual processes for both secure domainor non-secure domain, and the intermediate base addresses for those pagetables will be accessible by the translation table walk logic 2165, forexample from appropriate registers within the CP15 registers 34.Accordingly, the translation table walk logic 2165 can issue anintermediate address over path 2167 to request a descriptor from theappropriate page table.

The second MMU 2170 is arranged to receive any intermediate addressesoutput by the micro-TLB 2155 over path 2157, or by the translation tablewalk logic 2165 over path 2167, and if a hit is detected within themicro-TLB 2175, the micro-TLB can then issue the required physicaladdress over path 2192 to memory to cause the required data to beretrieved over the data bus 2190. In the event of an intermediateaddress issued over path 2157, this will cause the required data to bereturned to the core 10, whilst for an intermediate address issued overpath 2167, this will cause the required descriptor to be returned to thefirst MMU 2150 for storage within the main TLB 2160.

In the event of a miss in the micro-TLB 2175, the main TLB 2180 will bereferenced, and if there is a hit within the main TLB, the requiredintermediate address portion and corresponding physical address portionwill be returned to the micro-TLB 2175, to then enable the micro-TLB2175 to issue the required physical address over path 2192. However, inthe absence of a hit in either the micro-TLB 2175 or the main TLB 2180,then the translation table walk logic 2185 will be arranged to output arequest over path 2194 for the required descriptor from the relevantpage table within a second set of page tables associated with the secondMMU 2170. This second set of page tables includes descriptors whichassociate intermediate address portions with physical address portions,and typically there will be at least one page table for secure domainand one page table for non-secure domain. When a request is issued overpath 2194, this will result in the relevant descriptor from the secondset of page tables being returned to the second MMU 2170 for storingwithin the main TLB 2180.

The operation of the embodiment illustrated in FIG. 50A will now beillustrated further by way of a specific example as set out below, inwhich the abbreviation VA denotes virtual address, IA denotesintermediate address, and PA denotes physical address:

1) Core issues VA = 3000 [IA = 5000, PA = 7000] 2) Miss in micro-TLB ofMMU 1 3) Miss in main TLB of MMU 1 Page Table 1 Base Address = 8000 IA[PA = 10000] 4) Translation Table Walk logic in MMU 1 performs pagetable lookup -issues IA = 8003 5) Miss in micro-TLB of MMU 2 6) Miss inmain TLB of MMU 2 Page Table 2 Base Address = 12000 PA 7) TranslationTable Walk Logic in MMU 2 performs page table lookup -issues PA = 12008“8000 IA = 10000 PA” returned as page table data 8) -stored in main TLBof MMU 2 9) -stored in micro-TLB of MMU 2 10) Micro-TLB in MMU 2 now hashit -issues PA = 10003 “3000 VA = 5000 IA” returned as page table data11) -stored in main TLB of MMU 1 12) -stored in micro-TLB of MMU 1 13)Micro-TLB in MMU 1 now has hit issues IA = 5000 to perform data access14) miss in micro-TLB of MMU 2 15) miss in main TLB of MMU 2 16)Translation Table Walk Logic in MMU 2 performs page table lookup -issuesPA = 12005 “5000 IA = 7000 PA” returned as page table data 17) -storedin main TLB of MMU 2 18) -stored in micro-TLB of MMU 2 19) Micro-TLB inMMU 2 now has hit -issues PA = 7000 to perform data access 20) Data atphysical address 7000 returned to coreNEXT TIME CORE ISSUES A MEMORY ACCESS REQUEST (say VA 3001 . . . )

1) Core issues VA=3001

2) Hit in micro-TLB of MMU1, request IA 5001 issued to MMU2

3) Hit in micro-TLB on MMU2, request for PA 7001 issued to memory

4) Data at PA 7001 returned to core.

It will be appreciated that in the above example misses occur in boththe micro-TLB and the main TLB of both MMUs, and hence this examplerepresents the ‘worst case’ scenario. Typically, it would be expectedthat a hit would be observed in at least one of the micro-TLBs or mainTLBs, thereby significantly reducing the time taken to retrieve thedata.

Returning to FIG. 51, the second set of page tables 2250 will typicallybe provided within a certain region of the physical address space, inpreferred embodiments a secure region. The first set of page tables canbe split into two types, namely secure page tables and non-secure pagetables. Preferably, the secure page tables will appear consecutivelywithin the intermediate address space 2265, as will the non-secure pagetables within the non-secure intermediate address space 2275. However,they need not be placed consecutively within the physical address space,and accordingly, by way of example, the secure page tables for the firstset of page tables may be spread throughout the secure regions 2210,2230, and in a similar way the non-secure page tables may be spreadthroughout the non-secure memory regions 2220 and 2240.

As mentioned previously, one of the main benefits of using the two-levelapproach of two sets of page tables is that for both the operatingsystem of the secure domain and the operating system of the non-securedomain the physical address space can be arranged to start at zero,which is what would typically be expected by an operating system.Additionally the secure memory regions can be completely hidden from thenon-secure operating system's view of its “physical address” space,since it sees as its physical address space the intermediate addressspace, which can be arranged to have a contiguous sequence ofintermediate addresses.

Additionally, the use of such an approach considerably simplifies theprocess of swapping regions of memory between non-secure memory andsecure memory. This is illustrated schematically with reference to FIG.52. As can be seen in FIG. 52, a region of memory 2300, which may forexample be a single page of memory, may exist within the non-securememory region 2220, and similarly a memory region 2310 may exist withinthe secure memory region 2210. However, these two memory regions 2300and 2310 can readily be swapped merely by changing the relevantdescriptors within the second set of page tables, such that the region2300 now becomes a secure region mapped to region 2305 in theintermediate address space of the secure domain, whilst region 2310 nowbecomes a non-secure region mapped to the region 2315 in theintermediate address space of the non-secure domain. This can occurentirely transparently to the operating systems in both the securedomain the non-secure domain, since their view of the physical addressspace is actually the intermediate address space of the secure domain ornon-secure domain, respectively. Hence, this approach avoids anyredefinition of the physical address space within each operating system.

An alternative embodiment of the present invention where two MMUs arealso used, but in a different arrangement to that of FIG. 50A, will nowbe described with reference to FIG. 50B. As can be seen from acomparison of FIG. 50B with FIG. 50A, the arrangement is almostidentical, but in this embodiment the first MMU 2150 is arranged toperform virtual address to physical address translation and the secondMMU is arranged to perform intermediate address to physical addresstranslation. Hence, instead of the path 2157 from the micro-TLB 2155 inthe first MMU 2150 to the micro-TLB 2175 in the second MMU 2170 used inthe FIG. 50A embodiment, the micro-TLB 2155 in the first MMU is insteadarranged to output a physical address directly over path 2192, as shownin FIG. 50B. The operation of the embodiment illustrated in FIG. 50Bwill now be illustrated by way of the specific example as set out below,which details the processing of the same core memory access request asillustrated earlier for the FIG. 50A embodiment:

1)  Core issues VA = 3000 [IA = 5000, PA = 7000] 2)  Miss in micro-TLBand main TLB of MMU 1 Page Table 1 Base Address = 8000 IA [PA = 10000]3)  Translation Table Walk logic in MMU1 performs page table lookup-issues IA = 8003 4)  IA 8003 misses in micro-TLB and main TLB of MMU 2Page Table 2 Base Address = 12000 PA 5)  Translation Table Walk logic inMMU2 performs page table lookup -issues PA = 12008 “8000 IA == 10000 PA”returned as page table data 6)  “8000 IA = 10000 PA” mapping stored inMain and micro-TLB of MMU2 7)  Micro-TLB in MMU2 can now translate therequest from step (3) to PA 10003 and issues fetch “3000 VA = 5000 IA”returned as page table data NOTE: This translation is retained intemporary storage by MMU1, but not stored directly in any TLB. 8) Translation table walk logic of MMU1 now issues request to MMU2 for IA= 5000 9)  IA 5000 misses in uTLB and main TLB of MMU 2 10)  TranslationTable Walk logic in MMU2 performs page table lookup -issues PA = 12005“5000 IA = 7000 PA” returned as page table data 11)  MMU2 stores “5000IA = 7000 PA” in uTLB and main TLB. This translation is alsocommunicated to MMU1. 12a)  MMU2 issues the PA = 7000 access to memory12b)  MMU1 combines the “3000 VA = 5000 IA” and the “5000 IA = 7000 PA”descriptors to give a “3000 VA = 7000 PA” descriptor, which is stored inthe main TLB and micro-TLB of MMU 1. 13)  Data at PA 7000 is returned tothe core.NEXT TIME CORE ISSUES A MEMORY ACCESS REQUEST (say VA 3001 . . . )

-   1) Core issues VA=3001-   2) Hit in micro-TLB of MMU1, MMU1 issues request for PA=7001-   3) Data at PA 7001 is returned to the core.

As can bee seen from a comparison of the above example with thatprovided for FIG. 50A, the main differences here are in step 7 whereMMU1 does not store the first table descriptor directly, and in step 12b (12 a and 12 b can happen at the same time) where MMU1 also receivesthe IA->PA translation and does the combination and stores the combineddescriptor in its TLBs.

Hence, it can be seen that whilst this alternative embodiment still usesthe two sets of page tables to convert virtual addresses to physicaladdresses, the fact that the micro-TLB 2155 and main TLB 2160 store thedirect virtual address to physical address translation avoids the needfor lookups to be performed in both MMUs when a hit occurs in either themicro-TLB 2155 or the main TLB 2160. In such cases the first MMU candirectly handle requests from the core without reference to the secondMMU.

It will be appreciated that the second MMU 2170 could be arranged not toinclude the micro-TLB 2175 and the main TLB 2180, in which case the pagetable walk logic 2185 would be used for every request that neededhandling by the second MMU. This would save on complexity and cost forthe second MMU, and might be acceptable assuming the second MMU was onlyneeded relatively infrequently. Since the first MMU will need to be usedfor every request, it will typically be expedient to include themicro-TLB 2155 and main TLB 2160 in the first MMU 2150 to improve speedof operation of the first MMU.

It should be noted that pages in the page tables may vary in size, andit is hence possible that the descriptors for the two halves of thetranslation relate to different sized pages. Typically, the MMU1 pageswill be smaller than the MMU2 pages but this is not necessarily thecase. For example:

Table 1 maps 4 Kb at 0x40003000 onto 0x00081000

Table 2 maps 1 Mb at 0x00000000 onto 0x02000000

Here, the smallest of the two sizes must be used for the combinedtranslation, so the combined descriptor is

4 Kb at 0x40003000 onto 0x02081000

However, where data is being swapped between worlds (as discussedearlier with reference to FIG. 52) it is possible that the reverse istrue, for example:

Table 1 maps 1 Mb at 0xc0000000 onto 0x00000000

Table 2 maps 4 Kb at 0x00042000 onto 0x02042000

Now, a lookup at address 0xc0042010 from the core gives the mapping:

4 Kb at 0xc0042000 onto 0x02042000

i.e. the smaller of the two sizes is always used for the combinedmapping.

Note that in the second case the process is less efficient, since the (1Mb) descriptor in table 1 will be repeatedly looked up and discarded asdifferent 4 Kb areas are accessed. However, in a typical system thetable 2 descriptors will be larger (as in the first example) themajority of the time, which is more efficient (the 1 Mb mapping can berecycled for other 4 Kb pages which point into the appropriate sectionof IA space).

As an alternative to employing two separate MMUs as illustrated in FIGS.50A and 50B, a single MMU can be used as illustrated in FIG. 53, whereupon a miss in the main TLB 2420, an exception is generated by the MMU,which then causes software to be run within the core 10 to produce avirtual to physical address translation based on a combination ofdescriptors from the two different sets of page tables. Moreparticularly, as shown in FIG. 53, the core 10 is coupled to an MMU2400, which includes a micro-TLB 2410 and a main TLB 2420. When the core10 issues a memory access request, the virtual address is provided overpath 2430, and if a hit is observed in the micro-TLB, then thecorresponding physical address is output directly over path 2440,causing the data to be returned over path 2450 into the core 10.However, if there is a miss in the micro-TLB 2410, the main TLB 2420 isreferenced and if the relevant descriptor is contained within the mainTLB the associated virtual address portion and corresponding physicaladdress portion are retrieved into the micro-TLB 2410, whereafter thephysical address can be issued over path 2440. However, if the main TLBalso produces a miss, then an exception is generated over path 2422 tothe core. The process performed within the core from receipt of such anexception will now be described further with reference to FIG. 54.

As shown in FIG. 54, if a TLB miss exception is detected by the core atstep 2500, then the core enters the monitor mode at a predeterminedvector for that exception at step 2510. This will then cause page tablemerging code to be run to perform the remainder of the steps illustratedin FIG. 54.

More particularly, at step 2520, the virtual address that was issuedover path 2430, and that gave rise to the miss in both the micro-TLB2410 and the main TLB 2420 (hereafter referred to as the faultingvirtual address) is retrieved, whereafter at step 2530 the intermediateaddress for the required first descriptor is determined dependent on theintermediate base address for the appropriate table within the first setof tables. Once that intermediate address has been determined (typicallyby some predetermined combination of the virtual address with theintermediate base address), then the relevant table within the secondset of tables is referenced in order to obtain the correspondingphysical address for that first descriptor. Thereafter at step 2550 thefirst descriptor can be fetched from memory in order to enable theintermediate address for the faulting virtual address to be determined.

Then, at step 2560, the second table is again referenced to find asecond descriptor giving the physical address for the intermediateaddress of the faulting virtual address. Thereafter at step 2570, thesecond descriptor is fetched to obtain the physical address for thefaulting virtual address.

Once the above information has been obtained, then the program mergesthe first and second descriptors to generate a new descriptor giving therequired virtual address to physical address translation, this stepbeing performed at step 2580. In a similar manner to that describedearlier with reference to FIG. 50B, the merging performed by thesoftware again uses the smallest page table size for the combinedtranslation. Thereafter, at step 2590, the new descriptor is storedwithin the main TLB 2420, whereafter the process returns from theexception at step 2595.

Thereafter, the core 10 will be arranged to reissue the virtual addressfor the memory access request over path 2430, which will still result ina miss in the micro-TLB 2410, but will now result in a hit in the mainTLB 2420. Hence, the virtual address portion and corresponding physicaladdress portion can be retrieved into the micro-TLB 2410, whereafter themicro-TLB 2410 can then issue the physical address over path 2440,resulting in the required data being returned to the core 10 over path2450.

It will be appreciated that, as alternative embodiments to thosedescribed earlier with reference to FIGS. 50A and 50B, one or both MMUsin those embodiments could be managed by software using the principlesdescribed above with reference to FIGS. 53 and 54.

Irrespective of whether two MMUs are used as shown in FIGS. 50A or 50B,or one MMU is used as shown in FIG. 53, the fact that the second set ofpage tables is managed by the processor when operating in monitor mode(or alternatively in a privileged secure mode) ensures that those pagetables are secure. As a result, when the processor is in the non-securedomain it can only see non-secure memory, since it is only theintermediate address space generated for the non-secure domain by thesecond set of page tables that the processor can see when in thenon-secure domain. As a result, there is no need to provide a partitionchecker as part of the memory management logic 30 illustrated in FIG. 1.However, a partition checker would still be provided on the external busto monitor accesses made by other bus masters in the system.

In the embodiments discussed earlier with reference to FIGS. 37 and 38,a partition checker 222 was provided in association with the MMU 200,and accordingly when an access is to be performed in the cache 38, alook-up will have already been performed in the micro-TLB 206 first, andaccordingly access permissions, especially secure and non-securepermissions, would have been checked. Accordingly, in such embodiments,secure data cannot be stored in the cache 38 by non-secure applications.Access to the cache 38 is under the control of the partition checkingperformed by the partition checker 222, and accordingly no access tosecure data can be performed in non-secure mode.

However, in an alternative embodiment of the present invention, apartition checker 222 is not provided for monitoring accesses made overthe system bus 40, and instead the data processing apparatus merely hasa single partition checker coupled to the external bus 70 for monitoringaccesses to memory units connected to that external bus. In suchembodiments, this then means that the processor core 10 can access anymemory units coupled directly to the system bus 40, for example the TCM36 and the cache 38, without those accesses being policed by theexternal partition checker, and accordingly some mechanism is requiredto ensure that the processor core 10 does not access secure data withinthe cache 38 or the TCM 36 whilst operating in a non-secure mode.

FIG. 55 illustrates a data processing apparatus in accordance with oneembodiment of the present invention, where a mechanism is provided toenable the cache 38 and/or the TCM 36 to control accesses made to themwithout the need for any partition checking logic to be provided inassociation with the MMU 200. As shown in FIG. 55, the core 10 iscoupled via an MMU 200 to the system bus 40, the cache 38 and TCM 36also being coupled to the system bus 40. The core 10, cache 38 and TCM36 are coupled via the external bus interface 42 to the external bus 70,which as illustrated in FIG. 55 consists of an address bus 2620, acontrol bus 2630 and a data bus 2640.

The core 10, MMU 200, cache 38, TCM 36 and external bus interface 42 canbe viewed as constituting a single device connected onto the externalbus 70, also referred to as a device bus, and other devices may also becoupled to that device bus, for example the secure peripheral device 470or the non-secure peripheral device 472. Also connected to the devicebus 70 will be one or more memory units, for example the external memory56. In addition, a bus control unit 2650 is connected to the device bus70, and will typically include an arbiter 2652, a decoder 2654 and apartition checker 2656. For a general discussion of the operation of thecomponents connected to the device bus, reference should be made to theearlier described FIG. 47. In the earlier described FIG. 47, thearbiter, decoder and partition checker were shown as separate blocks,but these elements work in the same manner when placed within a singlecontrol block 2650.

The MMu 200 of FIG. 55 is illustrated in more detail in FIG. 56. Bycomparison of FIG. 56 with FIG. 37, it can be seen that the MMU 200 isconstructed in exactly the same way as the MMU of FIG. 37, the onlydifference being that a partition checker 222 is not provided formonitoring data sent over path 242 between the main TLB 208 and themicro-TLB 206. If the processor core 10 issues a memory access requestthat specifies a virtual address, then that memory access request willbe routed through the MMU 200, and will be processed as describedearlier with reference to FIG. 37, resulting in a physical address beingoutput onto the system bus 40 over path 238 from the micro-TLB 206. If,in contrast, the memory access request directly specifies a physicaladdress, this will bypass the MMU 200, and instead will be routeddirectly onto the system bus 40 via path 236. In one embodiment onlywhen the processor is operating in the monitor mode will it generatememory access requests that directly specify physical addresses.

As will be recalled from the earlier description of the MMU 200, and inparticular from the description of FIG. 43, the main TLB 208 willcontain a number of descriptors 435, and for each descriptor a domainflag 425 will be provided to identify whether the correspondingdescriptor is from a secure page table or a non-secure page table. Thesedescriptors 435 and associated domain flags 425 are illustratedschematically within the MMU 200 of FIG. 55.

When the core 10 issues a memory access request, this will result in aphysical address for that memory access request being output on thesystem bus 40 and typically the cache 38 will then perform a look-upprocess to determine whether the data item specified by that address isstored within the cache. Whenever a miss occurs within the cache, i.e.it is determined that the data item subject to the access request is notstored within the cache, a linefill procedure will be initiating by thecache in order to retrieve from the external memory 56 a line of datathat includes the data item the subject of the memory access request. Inparticular, the cache will output via the EBI 42 a linefill request ontothe control bus 2630 of the device bus 70, with a start address beingoutput on the address bus 2620. In addition, an HPROT signal will beoutput over path 2632 onto the control bus 2630, which will include adomain signal specifying the mode of operation of the core at the timethe memory access request was issued. Hence, the linefill process can beviewed as the propagation of the original memory access request onto theexternal bus by the cache 38.

This HPROT signal will be received by the partition checker 2656, andaccordingly will identify to the partition checker whether the devicerequesting the specified data from the external memory 56 (in this casethe device incorporating the core 10 and the cache 38) was operating inthe secure domain or the non-secure domain at the time the memory accessrequest was issued. The partition checker 2656 will also have access tothe partitioning information identifying which regions of memory aresecure or non-secure, and accordingly can determine whether the deviceis allowed to have access to the data it is requesting. Hence, thepartition checker can be arranged to only allow a device to have accessto a secure part of the memory if the domain signal within the HPROTsignal (also referred to herein as an S bit) is asserted to identifythat access to this data was requested by the device whilst operating ina secure mode of operation.

If the partition checker determines that the core 10 is not allowed tohave access to the data requested, for example because the HPROT signalhas identified that the core was operating in a non-secure mode ofoperation, but the linefill request is seeking to retrieve data from theexternal memory that is within a secure region of memory, then thepartition checker 2656 will issue an abort signal onto the control bus2630, which will be passed back over path 2636 to the EBI 42, and fromthere back to the cache 38, resulting in an abort signal being issuedover path 2670 to the core 10. However, if the partition checker 2656determines that the access is allowed, then it will output an S tagsignal identifying whether the data being retrieved from the externalmemory is secure data or non-secure data, and this S Tag signal will bepassed back via path 2634 to the EBI 42, and from there back to thecache 38 to enable setting of the flag 2602 associated with the cacheline 2600 the subject of the linefill process.

At the same time, the control logic 2650 will authorise the externalmemory 56 to output the linefill data requested, this data being passedback via the EBI 42 over path 2680 to the cache 38 for storing in therelevant cache line 2600. Hence, as a result of this process, the chosencache line within the cache 38 will be filled with data items from theexternal memory 56, these data items including the data item that wasthe subject of the original memory access request from the core 10. Thedata item the subject of the memory access request from the core canthen be returned to the core from the cache 38, or alternatively can beprovided directly from the EBI 42 back to the core 10 over path 2660.

Since, in preferred embodiments, the original storage of data in a cacheline will occur as a result of the above described linefill process, theflag 2602 associated with that cache line will be set based on the valueprovided by the partition checker 2656, and that flag can then be usedby the cache 38 to directly control any subsequent access to the dataitems in that cache line 2600. Hence, if the core 10 subsequently issuesa memory access request that produces a hit in a particular cache line2600 of the cache 38, the cache 38 will review the value of theassociated flag 2602, and compare that value with the current mode ofoperation of the core 10. In preferred embodiments, this current mode ofoperation of the core 10 is indicated by a domain bit set by the monitormode within the CP15 domain status register. Hence, cache 38 can bearranged to only allow data items in a cache line that the correspondingflag 2602 indicates is secure data to be accessed by the processor core10 when the processor core 10 is operating in a secure mode ofoperation. Any attempt by the core to access secure data within thecache 38 whilst the core is operating in a non-secure mode will resultin the cache 38 generating an abort signal over path 2670.

The TCM 36 can be set up in a variety of ways. In one embodiment, it canbe set up to act like a cache, and in that embodiment will be arrangedto include a plurality of lines 2610, each of which has a flag 2612associated therewith in the same way as the cache 38. Accesses to theTCM 36 are then managed in exactly the same way as described earlierwith reference to the cache 38, with any TCM miss resulting in alinefill process being performed, as a result of which data will beretrieved into a particular line 2610, and the partition checker 2656will generate the required S tag value for storing in the flag 2612associated with that line 2610.

In an alternative embodiment, the TCM 36 may be set up as an extensionof the external memory 56 and used to store data used frequently by theprocessor, since access to the TCM via the system bus is significantlyfaster than access to external memory. In such embodiments, the TCM 36would not use the flags 2612, and instead a different mechanism would beused to control access to the TCM. In particular, as described earlier,in such embodiments, a control flag may be provided which is settable bythe processor when operating in a privileged secure mode to indicatewhether the tightly coupled memory is controllable by the processor onlywhen executing in a privileged secure mode or is controllable by theprocessor when executing in the at least one non-secure mode. Thecontrol flag is set by the secure operating system, and in effectdefines whether the TCM is controlled by the privileged secure mode orby non-secure modes. Hence, one configuration that can be defined isthat the TCM is only controlled when the processor is operating in aprivileged secure mode of operation. In such embodiments, any non-secureaccess attempted to the TCM control registers will cause an undefinedinstruction exception to be entered.

In an alternative configuration, the TCM can be controlled by theprocessor when operating in a non-secure mode of operation. In suchembodiments, the TCM is only used by the non-secure applications. Nosecure data can be stored to or loaded from the TCM. Hence, when asecure access is performed, no look-up is performed within the TCM tosee if the address matched the TCM address range.

FIG. 57 is a flow diagram illustrating the processing performed by theapparatus of FIG. 55 when a non-secure program operating on theprocessor core 10 generates a virtual address (step 2700). Firstly, atstep 2705, a look-up is performed within the micro-TLB 206, and if thisresults in a hit, the micro-TLB then checks access permissions at step2730. With reference to FIG. 56, this process can be viewed as beingperformed by the access permission logic 202.

If at step 2705, a miss occurs in the micro-TLB look-up, then a look-upis performed in the main TLB 208 amongst the non-secure descriptorsstored therein (step 2710). If this results in a miss, then a page tablewalk process is performed at step 2715 (which has been discussed indetail previously with reference to FIG. 37), where after at step 2720it is determined that the main TLB contains the valid tagged non-securedescriptor. If the look-up at step 2710 produces a hit, then the processproceeds directly to step 2720.

Thereafter, at step 2725, the micro-TLB is loaded with the section ofthe descriptor which contains the physical address, whereafter at step2730 the micro-TLB checks the access permissions.

If at step 2730, it is determined that there is a violation of theaccess permissions, then the process proceeds to step 2740, where anabort signal is issued over path 230 to the processor core (analogous topath 2670 shown in FIG. 55). However, assuming there is no violationdetected, then at step 2745 it is determined whether the access isrelated to a cacheable data item. If not, then an external access isinitiated at step 2790 to seek to retrieve the data item from theexternal memory 56. At step 2795, the partition checker 2656 willdetermine whether there is a secure partition violation, i.e. if theprocessor core 10 is seeking to access a data item in secure memorywhilst operating in a non-secure mode, and if a violation is detected,then the partition checker 2656 will generate an abort signal at step2775. However, assuming there is no secure partition violation, then theprocess proceeds to step 2785, where the data access takes place.

If at step 2745 it was determined that the data item being requested iscacheable, then a cache look-up is performed at step 2750 within thecache, and if a hit is detected, the cache then determines whether thereis a secure line tag violation at step 2755. Hence, at this stage, thecache will review the value of the flag 2602 associated with the cacheline containing the data item, and will compare the value of that flagwith the mode of operation of the core 10 to determine whether the coreis entitled to access the data item requested. If a secure line tagviolation is detected, then the process proceeds to step 2760, where asecure violation fault abort signal is generated by the cache 38 andissued over path 2670 to the core 10. However, assuming there is nosecure line tag violation detected at step 2755, then the data access isperformed at step 2785.

If when the cache look-up is performed at step 2750 a cache miss occurs,then a cache linefill is initiated at step 2765. At step 2770, thepartition checker 2656 then detects whether there is a secure partitionviolation, and if so issues an abort signal at step 2775. However,assuming there is no secure partition violation detected, then the cachelinefill proceeds at step 2780, resulting in the data access completingat step 2785.

As illustrated in FIG. 57, steps 2705, 2710, 2715, 2720, 2725, 2730 and2735 are performed within the MMU, steps 2745, 2750, 2755, 2765, 2780and 2790 are performed by the cache, and steps 2770 and steps 2795 areperformed by the partition checker.

FIG. 58 is a flow diagram showing the analogous process performed in theevent that a secure program executing on the core generates a virtualaddress (step 2800). By comparison of FIG. 58 with FIG. 57, it will beappreciated that steps 2805 through 2835 performed within the MMU areanalogous to the steps 2705 through 2735 described earlier withreference to FIG. 57. The only difference is at step 2810, where thelook-up performed within the main TLB is performed in relation to anysecure descriptors stored within the main TLB, as a result of which atstep 2820 the main TLB contains valid tagged secure descriptors.

Within the cache, the cache no longer needs to look for any secure linetag violation, since in the embodiment illustrated with reference toFIG. 58, it is assumed that the secure program can access both securedata and non-secure data. Accordingly, if a hit occurs during the cachelook-up at step 2850, then the process proceeds directly to the dataaccess step 2885.

Similarly, in the event that an external access to the external memoryis required (i.e. at steps 2865 or 2890), the partition checker needperform no partition checking, since again it is assumed that the secureprogram can access either secure data or non-secure data.

The steps 2845, 2850, 2865, 2880 and 2890 performed within the cache areanalogous to the steps 2745, 2750, 2765, 2780 and 2790 described earlierwith reference to FIG. 57.

FIG. 59 shows different modes and applications running on a processor.The dashed lines indicate how different modes and/or applications can beseparated and isolated from one another during monitoring of theprocessor according to an embodiment of the present invention.

The ability to monitor a processor to locate possible faults anddiscover why an application is not performing as expected is extremelyuseful and many processors provide such functions. The monitoring can beperformed in a variety of ways including debug and trace functions.

In the processor according to the present technique debug can operate inseveral modes including halt debug mode and monitor debug mode. Thesemodes are intrusive and cause the program running at the time to bestopped. In halt debug mode, when a breakpoint or watchpoint occurs, thecore is stopped and isolated from the rest of the system and the coreenters debug state. On entry the core is halted, the pipeline is flushedand no instructions are pre-fetched. The PC is frozen and any interrupts(IRQ and FIQ) are ignored. It is then possible to examine the coreinternal state (via the JTAG serial interface) as well as the state ofthe memory system. This state is invasive to program execution, as it ispossible to modify current mode, change register contents, etc. OnceDebug is terminated, the core exits from the Debug State by scanning inthe Restart instruction through the Debug TAP (test access port). Thenthe program resumes execution.

In monitor debug mode, a breakpoint or watchpoint causes the core toenter abort mode, taking prefetch or Data Abort vectors respectively. Inthis case, the core is still in a functional mode and is not stopped asit is in Halt debug mode. The abort handler communicates with a debuggerapplication to access processor and coprocessor state or dump memory. Adebug monitor program interfaces between the debug hardware and thesoftware debugger. If bit 11 of the debug status and control registerDSCR is set (see later), interrupts (FIQ and IRQ) can be inhibited. Inmonitor debug mode, vector catching is disabled on Data Aborts andPrefetch Aborts to avoid the processor being forced into anunrecoverable state as a result of the aborts that are generated for themonitor debug mode. It should be noted that monitor debug mode is a typeof debug mode and is not related to monitor mode of the processor whichis the mode that supervises switching between secure world andnon-secure world.

Debug can provide a snapshot of the state of a processor at a certainmoment. It does this by noting the values in the various registers atthe moment that a debug initiation request is received. These values arerecorded on a scan chain (541, 544 of FIG. 67) and they are thenserially output using a JTAG controller (18 or FIG. 1).

An alternative way of monitoring the core is by trace. Trace is notintrusive and records subsequent states as the core continues tooperate. Trace runs on an embedded trace macrocell (ETM) 22, 26 ofFIG. 1. The ETM has a trace port through which the trace information isexported, this is then analysed by an external trace port analyser.

The processor of embodiments of the present technique operates in twoseparate domains, in the embodiments described these domains comprisesecure and non-secure domains. However, for the purposes of themonitoring functions, it will be clear to the skilled person that thesedomains can be any two domains between which data should not leak.Embodiments of the present technique are concerned with preventingleakage of data between the two domains and monitoring functions such asdebug and trace which are conventionally allowed access to the wholesystem are a potential source of data leakage between the domains.

In the example given above of a secure and non-secure domain or world,secure data must not be available to the non-secure world. Furthermore,if debug is permitted, in secure world, it may be advantageous for someof the data within secure world to be restricted or hidden. The hashedlines in FIG. 59 shows some examples of possible ways to segment dataaccess and provide different levels of granularity. In FIG. 59, monitormode is shown by block 500 and is the most secure of all the modes andcontrols switching between secure and non-secure worlds. Below monitormode 500 there is a supervisor mode, this comprises secure supervisormode 510 and non-secure supervisor mode 520. Then there is non-secureuser mode having applications 522 and 524 and secure user mode withapplications 512, 514 and 516. The monitoring modes (debug and trace)can be controlled to only monitor non-secure mode (to the left of hashedline 501). Alternatively the non-secure domain or world and the secureuser mode may be allowed to be monitored (left of 501 and the portionright of 501 that lies below 502). In a further embodiment thenon-secure world and certain applications running in the secure userdomain may be allowed, in this case further segmentation by hashed lines503 occurs. Such divisions help prevent leakage of secure data betweendifferent users who may be running the different applications. In somecontrolled cases monitoring of the entire system may be allowed.According to the granularity required the following parts of the coreneed to have their access controlled during monitoring functions.

There are four registers that can be set on a Debug event; theinstruction Fault Status Register (IFSR), Data Fault Status Register(DFSR), Fault Address Register (FAR), and Instruction Fault AddressRegister (IFAR). These registers should be flushed in some embodimentswhen going from secure world to non-secure world to avoid any leak ofdata.

PC sample register: The Debug TAP can access the PC through scan chain7. When debugging in secure world, that value may be masked depending onthe debug granularity chosen in secure world. It is important thatnon-secure world, or non-secure world plus secure user applicationscannot get any value of the PC while the core is running in the secureworld.

TLB entries: Using CP15 it is possible to read micro TLB entries andread and write main TLB entries. We can also control main TLB and microTLB loading and matching. This kind of operation must be strictlycontrolled, particularly if secure thread-aware debug requiresassistance of the MMU/MPU.

Performance Monitor Control register: The performance control registergives information on the cache misses, micro TLB misses, external memoryrequests, branch instruction executed, etc. Non-secure world should nothave access to this data, even in Debug State. The counters should beoperable in secure world even if debug is disabled in secure world.

Debugging in cache system: Debugging must be non-intrusive in a cachedsystem. It is important is to keep coherency between cache and externalmemory. The Cache can be invalidated using CP15, or the cache can beforced to be write-through in all regions. In any case, allowing themodification of cache behaviour in debug can be a security weakness andshould be controlled.

Endianness: Non-secure world or secure user applications that can accessto debug should not be allowed to change endianness. Changing theendianness could cause the secure kernel to malfunction. Endiannessaccess is prohibited in debug, according to the granularity.

Access of the monitoring functions to portions of the core can becontrolled at initiation of the monitoring function. Debug and trace areinitialised in a variety of ways. Embodiments of the present techniquecontrol the access of the monitoring function to certain secure portionsof the core by only allowing initialisation under certain conditions.

Embodiments of the present technique seek to restrict entry intomonitoring functions with the following granularity:

By controlling separately intrusive and observable (trace) debug;

By allowing debug entry in secure user mode only or in the whole secureworld;

By allowing debug in secure user mode only and moreover taking accountof the thread ID (application running).

In order to control the initiation of a monitoring function it isimportant to be aware of how the functions can be initiated. FIG. 60shows a table illustrating the possible ways of initiating a monitoringfunction, the type of monitoring function that is initiated and the waythat such an initiation instruction can be programmed.

Generally, these monitoring instructions can be entered via software orvia hardware, i.e. via the JTAG controller. In order to control theinitiation of monitoring functions, control values are used. Thesecomprise enable bits which are condition dependent and thus, if aparticular condition is present, monitoring is only allowed to start ifthe enable bit is set. These bits are stored on a secure register CP14(debug and status control register, DSCR), which is located in ICE 530(see FIG. 67).

In a preferred embodiment there are four bits that enable/disableintrusive and observable debug, these comprise a secure debug enablebit, a secure trace enable bit, a secure user-mode enable bit and asecure thread aware enable bit. These control values serve to provide adegree of controllable granularity for the monitoring function and assuch can help stop leakage of data from a particular domain. FIG. 61provides a summary of these bits and how they can be accessed.

These control bits are stored in a register in the secure domain andaccess to this register is limited to three possibilities. Softwareaccess is provided via ARM coprocessor MRC/MCR instructions and theseare only allowed from the secure supervisor mode. Alternatively,software access can be provided from any other mode with the use of anauthentication code. A further alternative relates more to hardwareaccess and involves the instructions being written via an input port onthe JTAG. In addition to being used to input control values relating tothe availability of monitoring functions, this input port can be used toinput control values relating to other functions of the processor.

Further details relating to the scan chain and JTAG are given below.

Register Logic Cell

Every integrated circuit (IC) consists of two kind of logic:

-   Combinatory logic cells; like AND, OR, INV gates. Such gates or    combination of such gates is used to calculate Boolean expressions    according to one or several input signals.-   Register logic cells; like LATCH, FLIP-FLOP. Such cells are used to    memorize any signal value. FIG. 62 shows a positive-edge triggered    FLIP-FLOP view:

When positive-edge event occurs on the clock signal (CK), the output (Q)received the value of the input (D); otherwise the output (Q) keeps itsvalue in memory.

Scan Chain Cell

For test or debug purpose, it is required to bypass functional access ofregister logic cells and to have access directly to the contents of theregister logic cells. Thus register cells are integrated in a scan chaincell as shown in FIG. 63.

In functional mode, SE (Scan Enable) is clear and the register cellworks as a single register cell. In test or debug mode, SE is set andinput data can come from SI input (Scan In) instead of D input.

Scan Chain

All scan chain cells are chained in scan chain as shown in FIG. 64.

In functional mode, SE is clear and all register cells can be accessednormally and interact with other logic of the circuit. In Test or Debugmode, SE is set and all registers are chained between each other in ascan chain. Data can come from the first scan chain cell and can beshifted through any other scan chain cell, at the cadence of each clockcycle. Data can be shifted out also to see the contents of theregisters.

TAP Controller

A debug TAP controller is used to handle several scan chains. The TAPcontroller can select a particular scan chain: it connects “Scan In” and“Scan Out” signals to that particular scan-chain. Then data can bescanned into the chain, shifted, or scanned out. The TAP controller iscontrolled externally by a JTAG port interface. FIG. 65 schematicallyillustrates a TAP controller

JTAG Selective Disable Scan Chain Cell

For security reasons, some registers might not be accessible by scanchain, even in debug or test mode. A new input called JADI (JTAG AccessDisable) can allow removal dynamically or statically of a scan chaincell from a whole scan chain, without modifying the scan chain structurein the integrated circuit. FIGS. 66A and B schematically show thisinput.

If JADI is inactive (JADI=0), whether in functional or test or debugmode, the scan chain works as usual. If JADI is active (JADI=1), and ifwe are in test or debug mode, some scan chain cells (chosen bydesigner), may be “removed” from the scan chain structure. In order tokeep the same number of scan-chain cell, the JTAG Selective Disable ScanChain Cell use a bypass register. Note that Scan Out (SO) and scan chaincell output (Q) are now different.

FIG. 67 schematically shows the processor including parts of the JTAG.In normal operation instruction memory 550 communicates with the coreand can under certain circumstances also communicate with register CP14and reset the control values. This is generally only allowable fromsecure supervisor mode.

When debug is initiated instructions are input via debug TAP 580 and itis these that control the core. The core in debug runs in a step by stepmode. Debug TAP has access to CP14 via the core (in dependence upon anaccess control signal input on the JSDAEN pin shown as JADI pin, JTAGACCESS DISABLE INPUT in FIG. 45) and the control values can also bereset in this way.

Access to the CP14 register via debug TAP 580 is controlled by an accesscontrol signal JSDAEN. This is arranged so that in order for access andin particular write access to be allowed JSDAEN must be set high. Duringboard stage when the whole processor is being verified, JSDAEN is sethigh and debug is enabled on the whole system. Once the system has beenchecked, the JSDAEN pin can be tied to ground, this means that access tothe control values that enable debug in secure mode is now not availablevia Debug TAP 580. Generally processors in production mode have JSDAENtied to ground. Access to the control values is thus, only available viathe software route via instruction memory 550. Access via this route islimited to secure supervisor mode or to another mode provided anauthentication code is given (see FIG. 68).

It should be noted that by default debug (intrusive andobservable—trace) are only available in non-secure world. To enable themto be available in secure world the control value enable bits need to beset.

The advantages of this are that debug can always be initiated by usersto run in non-secure world. Thus, although access to secure world is notgenerally available to users in debug this may not be a problem in manycases because access to this world is limited and secure world has beenfully verified at board stage prior to being made available. It istherefore foreseen that in many cases debugging of the secure world willnot be necessary. A secure supervisor can still initiate debug via thesoftware route of writing CP14 if necessary.

FIG. 68 schematically shows the control of debug initialisation. In thisFigure a portion of the core 600 comprises a storage element 601 (whichmay be a CP15 register as previously discussed) in which is stored asecure status bit S indicative of whether the system is in secure worldor not. Core 600 also comprises a register 602 comprising bitsindicative of the mode that the processor is running in, for exampleuser mode, and a register 603 providing a context identifier thatidentifies the application or thread that is currently running on thecore.

When a breakpoint is reached comparator 610, which compares a breakpointstored on register 611 with the address of the core stored in register612, sends a signal to control logic 620. Control logic 620 looks at thesecure state S, the mode 602 and the thread (context identifier) 603 andcompares it with the control values and condition indicators stored onregister CP14. If the system is not operating in secure world, then a“enter debug” signal will be output at 630. If however, the system isoperating in secure world, the control logic 620 will look at the mode602, and if it is in user mode will check to see if user mode enable anddebug enable bits are set. If they are then debug will be initialisedprovided that a thread aware bit has not been initialised. The aboveillustrates the hierarchical nature of the control values.

The thread aware portion of the monitoring control is also shownschematically in FIG. 68 along with how the control value stored inregister CP14 can only be changed from secure supervisor mode (in thisembodiment the processor is in production stage and JSDAEN is tied toground). From a secure user mode, secure supervisor mode can be enteredusing an authentication code and then the control value can be set inCP14.

Control logic 620 outputs an “enter debug” signal when addresscomparator 610 indicates that a breakpoint has been reached providedthread comparator 640 shows that debug is allowable for that thread.This assumes that the thread aware initialisation bit is set in CP14. Ifthe thread aware initialisation bit is set following a breakpoint, debugor trace can only be entered if address and context identifiers matchthose indicated in the breakpoint and in the allowable thread indicator.Following initiation of a monitoring function, the capture of diagnosticdata will only continue while the context identifier is detected bycomparator 640 as an allowed thread. When a context identifier showsthat the application running is not an allowed one, then the capture ofdiagnostic data is suppressed.

It should be noted that in the preferred embodiment, there is somehierarchy within the granularity. In effect the secure debug or traceenable bit is at the top, followed by the secure user-mode enable bitand lastly comes the secure thread aware enable bit. This is illustratedin FIGS. 69A and 69B (see below).

The control values held in the “Debug and Status Control” register(CP14) control secure debug granularity according to the domain, themode and the executing thread. It is on top of secure supervisor mode.Once the “Debug and Status Control” register CP14 is configured, it's upto secure supervisor mode to program the corresponding breakpoints,watchpoints, etc to make the core enter Debug State.

FIG. 69A shows a summary of the secure debug granularity for intrusivedebug. Default values at reset are represented in grey colour.

It is the same for debug granularity concerning observable debug. FIG.69B shows a summary of secure debug granularity in this case, heredefault values at reset are also represented in grey colour.

Note that Secure user-mode debug enable bit and Secure thread-awaredebug enable bit are commonly used for intrusive and observable debug.

A thread aware initialisation bit is stored in register CP14 andindicates if granularity by application is required. If the thread awarebit has been initialised, the control logic will further check that theapplication identifier or thread 603 is one indicated in the threadaware control value, if it is, then debug will be initialised. If eitherof the user mode or debug enable bits are not set or the thread awarebit is set and the application running is not one indicated in thethread aware control value, then the breakpoint will be ignored and thecore will continue doing what it was doing and debug will not beinitialised.

In addition to controlling initialisation of monitoring functions, thecapture of diagnostic data during a monitor function can also becontrolled in a similar way. In order to do this the core must continueto consider both the control values, i.e. the enable bits stored inregister CP14 and the conditions to which they relate during operationof the monitoring function.

FIG. 70 shows schematically granularity of a monitoring function whileit is running. In this case region A relates to a region in which it ispermissible to capture diagnostic data and region B relates to region inwhich control values stored in CP14 indicate that it is not possible tocapture diagnostic data.

Thus, when debug is running and a program is operating in region A,diagnostic data is output in a step-by-step fashion during debug. Whenoperation switches to Region B, where the capture of diagnostic data isnot allowed, debug no longer proceeds in a step by step fashion, ratherit proceeds atomically and no data is captured. This continues untiloperation of the program re-enters region A whereupon the capture ofdiagnostic data starts again and debug continues running in astep-by-step fashion.

In the above embodiment, if secure domain is not enabled, a SMIinstruction is always seen as an atomic event and the capture ofdiagnostic data is suppressed.

Furthermore, if the thread aware initialisation bit is set thengranularity of the monitoring function during operation with respect toapplication also occurs.

With regard to observable debug or trace, this is done by ETM and isentirely independent of debug. When trace is enabled ETM works as usualand when it is disabled, ETM hides trace in the secure world, or part ofthe secure world depending on the granularity chosen. One way to avoidETM capturing and tracing diagnostic data in the secure domain when thisis not enabled is to stall ETM when the S-bit is high. This can be doneby combining the S-bit with the ETMPWRDOWN signal, so that the ETMvalues are held at their last values when the core enters secure world.The ETM should thus trace a SMI instruction and then be stalled untilthe core returns to non-secure world. Thus, the ETM would only seenon-secure activity.

A summary of some of the different monitoring functions and theirgranularity is given below.

Intrusive Debug at Board Stage

At board stage when the JSDAEN pin is not tied, there is the ability toenable debug everywhere before starting any boot session. Similarly, ifwe are in secure supervisor mode we have similar rights.

If we initialise debug in halt debug mode all registers are accessible(non-secure and secure register banks) and the whole memory can bedumped, except the bits dedicated to control debug.

Debug halt mode can be entered from whatever mode and from whateverdomain. Breakpoints and watchpoints can be set in secure or innon-secure memory. In debug state, it is possible to enter secure worldby simply changing the S bit via an MCR instruction.

As debug mode can be entered when secure exceptions occur, the vectortrap register is extended with new bits which are;

SMI vector trapping enable

Secure data abort vector trapping enable

Secure prefetch abort vector trapping enable

Secure undefined vector trapping enable.

In monitor debug mode, if we allow debug everywhere, even when an SMI iscalled in non-secure world, it is possible to enter secure world instep-by-step debug. When a breakpoint occurs in secure domain, thesecure abort handler is operable to dump secure register bank and securememory.

The two abort handlers in secure and in non-secure world give theirinformation to the debugger application so that debugger window (on theassociated debug controlling PC) can show the register state in bothsecure and non-secure worlds.

FIG. 71A shows what happens when the core is configured in monitor debugmode and debug is enabled in secure world. FIG. 71B shows what happenswhen the core is configured in monitor debug mode and the debug isdisabled in secure world. This later process will be described below.

Intrusive Debug at Production Stage

In production stage when JSDAEN is tied and debug is restricted tonon-secure world, unless the secure supervisor determines otherwise,then the table shown in FIG. 71B shows what happens. In this case SMIshould always be considered as an atomic instruction, so that securefunctions are always finished before entering debug state.

Entering debug halt mode is subject to the following restrictions:

External debug request or internal debug request is taken into accountin non-secure world only. If EDBGRQ (external debug request) is assertedwhile in secure world, the core enters debug halt mode once securefunction is terminated and the core is returned in non-secure world.

Programming a breakpoint or watchpoint on secure memory has no effectand the core is not stopped when the programmed address matches.

Vector Trap Register (details of this are given below) concernsnon-secure exceptions only. All extended trapping enable bits explainedbefore have no effect.

Once in halt debug mode the following restrictions apply:

S bit cannot be changed to force secure world entry, unless secure debugis enabled.

Mode bits can not be changed if debug is permitted in secure supervisormode only.

Dedicated bits that control secure debug cannot be changed.

If a SMI is loaded and executed (with system speed access), the corere-enters debug state only when secure function is completely executed.

In monitor debug mode because monitoring cannot occur in secure world,the secure abort handler does not need to support a debug monitorprogramme. In non secure world, step-by-step is possible but whenever anSMI is executed secure function is executed entirely in other words anXWSI only “step-over” is allowed while “step-in” and “step-over” arepossible on all other instructions. XWSI is thus considered an atomicinstruction.

Once secure debug is disabled, we have the following restrictions:

Before entering monitor mode:

Breakpoints and watchpoints are only taken into account in non-secureworld.

If bit S is set, breakpoints/watchpoints are bypassed. Note thatwatchpoints units are also accessible with MCR/MRC (CP14) which is not asecurity issue as breakpoint/watchpoint has no effect in secure memory.

BKPT are normally used to replace the instruction on which breakpoint isset. This supposes to overwrite this instruction in memory by BKPTinstruction, which will be possible only in non-secure mode.

Vector Trap Register concerns non-secure exceptions only. All extendedtrapping enable bits explained before have no effect. Data abort andPre-fetch abort enable bits should be disabled to avoid the processorbeing forced in to an unrecoverable state.

Via JTAG, we have the same restrictions as for halt mode (S bit cannotbe modified, etc)

Once in monitor mode (non-secure abort mode)

The non-secure abort handler can dump non-secure world and has novisibility on secure banked registers as well as secure memory.

Executes secure functions with atomic SMI instruction

S bit cannot be changed to force secure world entry.

Mode bits can not be changed if debug is permitted in secure supervisormode only.

Note that if an external debug request (EDBGRQ) occurs,

In non-secure world, the core terminates the current instruction andenters then immediately debug state (in halt mode).

In secure world, the core terminates the current function and enters theDebug State when it has returned in non-secure world.

The new debug requirements imply some modifications in core hardware.The S bit must be carefully controlled, and the secure bit must not beinserted in a scan chain for security reason.

In summary, in debug, mode bits can be altered only if debug is enabledin secure supervisor mode. It will prevent anybody that has access todebug in the secure domain to have access to all secure world byaltering the system (modifying TBL entries, etc). In that way eachthread can debug its own code, and only its own code. The secure kernelmust be kept safe. Thus when entering debug while the core is running innon-secure world, mode bits can only be altered as before.

Embodiments of the technique use a new vector trap register. If one ofthe bits in this register is set high and the corresponding vectortriggers, the processor enters debug state as if a breakpoint has beenset on an instruction fetch from the relevant exception vector. Thebehaviour of these bits may be different according to the value of‘Debug in Secure world Enable’ bit in debug control register.

The new vector trap register comprises the following bits: D_s_abort,P_s_abort, S_undef, SMI, FIQ, IRQ, Unaligned, D_abort, P_abort, SWI andUndef.

-   D_s_abort bit: should only be set when debug is enabled in secure    world and when debug is configured in halt debug mode. In monitor    debug mode, this bit should never bit set. If debug in secure world    is disabled, this bit has no effect whatever its value.-   P_s_abort bit: same as D_s_abort bit.-   S_undef bit: should only be set when debug is enable in secure    world. If debug in secure world is disabled, this bit has no effect    whatever its value is.-   SMI bit: should only be set when debug is enabled in secure world.    If debug in secure world is disabled, this bit has no effect    whatever its value is.-   FIQ, IRQ, D_abort, P_abort, SWI, undef bits: correspond to    non-secure exceptions, so they are valid even if debug in secure    world is disabled. Note that D_abort and P_abort should not be    asserted high in monitor mode.-   Reset bit: as we enter secure world when reset occurs, this bit is    valid only when debug in secure world is enabled, otherwise it has    no effect.

Although a particular embodiment of the invention has been describedherein, it will be apparent that the invention is not limited thereto,and that many modifications and additions may be made within the scopeof the invention. For example, various combinations of the features ofthe following dependent could be made with the features of theindependent claims without departing from the scope of the presentinvention.

1. A data processing apparatus having a secure domain and a non-securedomain, in the secure domain devices of the data processing apparatushaving access to secure data which is not accessible in the non-securedomain, the data processing apparatus comprising: a device bus; aplurality of devices coupled to the device bus, at least one of thedevices being operable in a plurality of modes, including at least onenon-secure mode being a mode in the non-secure domain and at least onesecure mode being a mode in the secure domain; a memory coupled to thedevice bus and operable to store data required by the devices, thememory divided between secure memory for storing secure data andnon-secure memory for storing non-secure data, each of the devices beingoperable to issue onto the device bus a memory access request whenaccess to an item of data in the memory is required, each memory accessrequest pertaining to either said secure domain or said non-securedomain; and partition checking logic coupled to the device bus andoperable whenever a memory access request as issued by any of thedevices pertains to said non-secure domain to detect if the memoryaccess request is seeking to access the secure memory, and upon suchdetection to prevent the access specified by that memory access request.2. A data processing apparatus as claimed in claim 1, wherein for saidat least one of the devices, said plurality of modes are replicated insaid secure domain and said non-secure domain.
 3. A data processingapparatus as claimed in claim 1, wherein the partition checking logic ismanaged by one of said devices when operating in a predetermined securemode in said secure domain.
 4. A data processing apparatus as claimed inclaim 1, wherein the memory access request issued by the devicesincludes a domain signal identifying whether the memory access requestpertains to said secure domain or said non-secure domain, with thedomain signal being useable by the partition checking logic to determinewhether the access the subject of the memory access request is allowedto proceed.
 5. A data processing apparatus as claimed in claim 4,wherein the devices have a predetermined pin over which the domainsignal is output onto the device bus.
 6. A data processing apparatus asclaimed in claim 1, wherein the partition checking logic is providedwithin an arbiter coupled to the device bus to arbitrate between memoryaccess requests issued on the device bus.
 7. A data processing apparatusas claimed in claim 1, wherein in said non-secure domain said at leastone of the devices is operable under the control of a non-secureoperating system, and in said secure domain said at least one of thedevices is operable under the control of a secure operating system.
 8. Adata processing apparatus as claimed in claim 1, wherein said at leastone of the devices is a chip incorporating a processor, the chip furthercomprising a memory management unit operable, when the processorgenerates the memory access request, to perform one or morepredetermined access control functions to control issuance of the memoryaccess request onto the device bus.
 9. A data processing apparatus asclaimed in claim 8, wherein the chip further comprises: further memorycoupled to the processor via a system bus, the further memory operableto store data required by the processor, the further memory comprisingsecure further memory for storing secure data and non-secure furthermemory for storing non-secure data; and further partition checking logiccoupled to the system bus and operable whenever the memory accessrequest is generated by the processor when operating in a non-securemode in said non-secure domain to detect if the memory access request isseeking to access either the secure memory or the secure further memory,and upon such detection to prevent the access specified by that memoryaccess request.
 10. A data processing apparatus as claimed in claim 9,wherein: the processor is operable in a plurality of modes, including atleast one non-secure mode being a mode in the non-secure domain and atleast one secure mode being a mode in the secure domain, in said atleast one non-secure mode the processor being operable under the controlof a non-secure operating system and in said at least one secure modethe processor being operable under the control of a secure operatingsystem; and the further partition checking logic is managed by thesecure operating system.
 11. A data processing apparatus as claimed inclaim 10, wherein when the processor is operating in the at least onenon-secure mode, the memory access request specifies a virtual address,the memory management unit is controlled by the non-secure operatingsystem and one of said predetermined access control functions performedby the memory management unit comprises conversion of the virtualaddress to a physical address, the further partition checking logicbeing operable to prevent the access specified by that memory accessrequest if the physical address to be generated by the memory managementunit is within the secure memory.
 12. A data processing apparatus asclaimed in claim 11, further comprising a memory protection unit withinwhich the further partition checking logic is provided, the memoryprotection unit being managed by the secure operating system, whereinwhen the processor is operating in a particular secure mode, the memoryaccess request specifies a physical address for a memory location, thememory management unit is not used, and the memory protection unit isoperable to perform at least memory access permission processing toverify whether the memory location specified by the physical address isaccessible in said particular secure mode.
 13. A data processingapparatus as claimed in claim 10, wherein when the processor isoperating in one of the at least one secure modes, the memory accessrequest specifies a virtual address, the memory management unit iscontrolled by the secure operating system and one of said predeterminedaccess control functions performed by the memory management unitcomprises conversion of the virtual address to a physical address, thefurther partition checking logic not being used in the at least onesecure mode.
 14. A data processing apparatus as claimed in claim 13,wherein for all modes of operation of the processor, the memory accessrequest specifies a virtual address, the further partition checkinglogic being provided within the memory management unit, and beingoperable whenever the processor is operating in said at least onenon-secure mode.
 15. A data processing apparatus as claimed in claim 10,wherein the memory includes at least one table containing for each of anumber of memory regions an associated descriptor, the memory managementunit comprising an internal storage unit for storing access controlinformation derived from the descriptors and used by the memorymanagement unit to perform the predetermined access control functionsfor the memory access request, the further partition checking logicbeing operable, when the processor is operating in said at least onenon-secure mode, to prevent the internal storage unit from storingaccess control information that would allow access to said securememory.
 16. A data processing apparatus as claimed in claim 15, whereinthe memory access request specifies a virtual address, and one of saidpredetermined access control functions comprises conversion of thevirtual address to a physical address, each descriptor containing atleast a virtual address portion and a corresponding physical addressportion for the corresponding memory region, the further partitionchecking logic being operable, when the processor is operating in saidat least one non-secure mode, to prevent the internal storage unit fromstoring as access control information the physical address portion ifthe physical address that would then be produced for the virtual addressis within the secure memory.
 17. A data processing apparatus as claimedin claim 16, wherein the internal storage unit is a translationlookaside buffer (TLB) operable to store for a number of virtual addressportions the corresponding physical address portions obtained fromcorresponding descriptors retrieved from the at least one table.
 18. Adata processing apparatus as claimed in claim 17, wherein the TLB is amicro-TLB, and the internal storage unit further comprises a main TLBfor storing descriptors retrieved by the memory management unit from theat least one table, access control information being transferred fromthe main TLB to the micro-TLB prior to use of that access controlinformation by the memory management unit to perform the predeterminedaccess control functions for the memory access request, the furtherpartition checking logic being operable, when the processor is operatingin said at least one non-secure mode, to prevent the transfer of anyaccess control information from the main TLB to the micro-TLB that wouldallow access to said secure memory.
 19. A data processing apparatus asclaimed in claim 18, wherein the at least one table comprises anon-secure table for use when the processor is operating in said atleast one non-secure mode and containing descriptors generated by thenon-secure operating system, in the event that a descriptor within thatnon-secure table is associated with a memory region that at leastpartially incorporates a part of the secure memory, the furtherpartition checking logic being operable, when the processor is operatingin non-secure mode, to prevent the internal storage unit from storing asaccess control information the physical address portion specified bythat descriptor if the physical address that would then be produced forthe virtual address is within the secure memory, and wherein the atleast one table further comprises a secure table within the securememory that contains descriptors generated by the secure operatingsystem, the main TLB comprising a flag associated with each descriptorstored within the main TLB to identify whether that descriptor is fromsaid non-secure table or said secure table.
 20. A data processingapparatus as claimed in claim 19, wherein the micro-TLB is flushedwhenever the mode of operation of the processor changes between a securemode and a non-secure mode, in the secure mode access controlinformation only being transferred to the micro-TLB from a descriptor inthe main TLB that said associated flag indicates is from the securetable, and in the non-secure mode access control information only beingtransferred to the micro-TLB from a descriptor in the main TLB that saidassociated flag indicates is from the non-secure table.
 21. A dataprocessing apparatus as claimed in claim 16, wherein the at least onetable comprises a non-secure table for use when the processor isoperating in said at least one non-secure mode a nd containingdescriptors generated by the non-secure operating system, in the eventthat a descriptor within that non-secure table is associated with amemory region that at least partially incorporates a part of the securememory, the further partition checking logic being operable, when theprocessor is operating in non-secure mode, to prevent the internalstorage unit from storing as access control information the physicaladdress portion specified by that descriptor if the physical addressthat would then be produced for the virtual address is within the securememory.
 22. A data processing apparatus as claimed in claim 10, whereinthe memory includes at least one table containing for each of a numberof memory regions an associated descriptor, the memory management unitcomprising an internal storage unit for storing access controlinformation derived from the descriptors and used by the memorymanagement unit to perform the predetermined access control functionsfor the memory access request, the further partition checking logicbeing operable, when the processor is operating in said at least onenon-secure mode, to prevent the internal storage unit from storingaccess control information that would allow access to said securememory, and wherein said at least one table comprises at least one pagetable.
 23. A data processing apparatus as claimed in claim 10, whereinthe further memory comprises a tightly coupled memory connected to thesystem bus, the physical address range for the tightly coupled memorybeing defined in a control register, and a control flag being settableby the processor when operating in a privileged secure mode to indicatewhether the tightly coupled memory is controllable by the processor onlywhen executing in a privileged secure mode or is controllable by theprocessor when executing in the at least one non-secure mode.
 24. A dataprocessing apparatus as claimed in claim 23, wherein if the tightlycoupled memory is controllable by the processor when executing in the atleast one non-secure mode, secure data is prevented from being stored inthe tightly coupled memory.
 25. A method of controlling access to amemory in a data processing apparatus having a secure domain and anon-secure domain, in the secure domain devices of the data processingapparatus having access to secure data which is not accessible in thenon-secure domain, the data processing apparatus comprising a devicebus, a plurality of devices coupled to the device bus, at least one ofthe devices being operable in a plurality of modes, including at leastone non-secure mode being a mode in the non-secure domain and at leastone secure mode being a mode in the secure domain to the device bus andoperable to store data required by the devices, the memory dividedbetween secure memory for storing secure data and non-secure memory forstoring non-secure data, the method composing the steps of: (i) issuingfrom any of the devices onto the device bus a memory access request whenaccess to an item of data in the memory is required, each memory accessrequest pertaining to either said secure domain or said non-securedomain; and (ii) whenever the memory access request as issued by any ofthe devices pertains to said non-secure domain, employing partitionchecking logic coupled to the device bus to detect if the memory accessrequest is seeking to access the secure memory; and (iii) upon suchdetection, preventing the access specified by that memory accessrequest.
 26. A method as claimed in claim 25, wherein for said at leastone of the devices, said plurality of modes are replicated in saidsecure domain and said non-secure domain.
 27. A method as claimed inclaim 25, wherein the partition checking logic is managed by one of saiddevices when operating in a predetermined secure mode in said securedomain.
 28. A method as claimed in claim 25, wherein each memory accessrequest issued by the devices includes a domain signal identifyingwhether the memory access request pertains to said secure domain or saidnon-secure domain, and the domain signal is used by the partitionchecking logic to determine whether the access the subject of the memoryaccess request is allowed to proceed.
 29. A method as claimed in claim28, wherein the device has a predetermined pin over which the domainsignal is output onto the device bus.
 30. A method as claimed in claim25, wherein the partition checking logic is provided within an arbitercoupled to the device bus to arbitrate between memory access requestsissued on the device bus.
 31. A method as claimed in claim 25, whereinin said non-secure domain said at least one of the device is operableunder the control of a non-secure operating system, and in said securedomain said at least one of the devices is operable under the control ofa secure operating system.
 32. A method as claimed in claim 25, whereinsaid at least one of the devices is a chip incorporating a processor,the chip further comprising a memory management unit, when the processorgenerates the memory access request, the method comprising the step of:employing the memory management unit to perform one or morepredetermined access control functions to control issuance of the memoryaccess request onto the device bus.
 33. A method as claimed in claim 32,wherein the chip further comprises further memory coupled to theprocessor via a system bus, the further memory operable to store datarequired by the processor, the further memory comprising secure furthermemory for storing secure data and non-secure further memory for storingnon-secure data, and further partition checking logic coupled to thesystem bus, the method further comprising the steps of: whenever thememory access request is generated by the processor when operating in anon-secure mode in said non-secure domain, employing the furtherpartition checking logic to detect if the memory access request isseeking to access either the secure memory or the secure further memory;and upon such detection, preventing the access specified by that memoryaccess request.
 34. A method as claimed in claim 33 wherein: theprocessor is operable in a plurality of modes, including at least onenon-secure mode being a mode in the non-secure domain and at least onesecure mode being a mode in the secure domain, in said at least onenon-secure mode the processor being operable under the control of anon-secure operating system and in said at least one secure mode theprocessor being operable under the control of a secure operating system;and the further partition checking logic is managed by the secureoperating system.
 35. A method as claimed in claim 34, wherein when theprocessor is operating in the at least one non-secure mode, the memoryaccess request issued at said step (i) specifies a virtual address, saidstep of employing the memory management unit to perform one or morepredetermined access control functions is controlled by the non-secureoperating system and one of said predetermined access control functionsperformed comprises conversion of the virtual address to a physicaladdress, the further partition checking logic preventing at said step(iii) the access specified by that memory access request if the physicaladdress generated by the memory management unit is within the securememory.
 36. A method as claimed in claim 35, wherein the data processingapparatus further comprises a memory protection unit within which thefurther partition checking logic is provided, the memory protection unitbeing managed by the secure operating system, wherein when the processoris operating in a particular secure mode, the memory access requestissued at said step (i) specifies a physical address for a memorylocation, said step of employing the memory management unit to performone or more predetermined access control functions is not performed, andthe memory protection unit performs at least memory access permissionprocessing to verify whether the memory location specified by thephysical address is accessible in said particular secure mode.
 37. Amethod as claimed in claim 34, wherein when the processor is operatingin one of the at least one secure modes, the memory access requestissued at said step (i) specifies a virtual address, said step ofemploying the memory management unit to perform one or morepredetermined access control functions is controlled by the secureoperating system and one of said predetermined access control functionsperformed comprises conversion of the virtual address to a physicaladdress, the further partition checking logic not being used in the atleast one secure mode.
 38. A method as claimed in claim 37, wherein forall modes of operation of the processor, the memory access requestissued at said step (i) specifies a virtual address, the furtherpartition checking logic being provided within the memory managementunit, and being operable whenever the processor is operating in said atleast one non-secure mode.
 39. A method as claimed in claim 34, whereinthe memory comprises at least one table containing for each of a numberof memory regions an associated descriptor, the method comprising thesteps of: providing within a memory management unit an internal storageunit for storing access control information derived from the descriptorsand used by the memory management unit to perform the predeterminedaccess control functions for the memory access request; and when theprocessor is operating in said at least one non-secure mode, employingthe further partition checking logic to prevent the internal storageunit from storing access control information that would allow access tosaid secure memory.
 40. A method as claimed in claim 39, wherein thememory access request issued at said step (i) specifies a virtualaddress, and one of said predetermined access control functionsperformed by the memory management unit comprises conversion of thevirtual address to a physical address, each descriptor containing atleast a virtual address portion and a corresponding physical addressportion for the corresponding memory region, the method comprising thestep of: when the processor is operating in said at least one non-securemode, employing the further partition checking logic to prevent theinternal storage unit from storing as access control information thephysical address portion if the physical address that would then beproduced for the virtual address is within the secure memory.
 41. Amethod as claimed in claim 40, wherein the internal storage unit is atranslation lookaside buffer (TLB) operable to store for a number ofvirtual address portions the corresponding physical address portionsobtained from corresponding descriptors retrieved from the at least onetable.
 42. A method as claimed in claim 41, wherein the TLB is amicro-TLB, and the internal storage unit further comprises a main TLBfor storing descriptors retrieved by the memory management unit from theat least one table, the method comprising the step of: transferringaccess control information from the main TLB to the micro-TLB prior touse of that access control information by the memory management unit toperform the predetermined access control functions for the memory accessrequest; and when the processor is operating in said at least onenon-secure mode, employing the further partition checking logic toprevent the transfer of any access control information from the main TLBto the micro-TLB that would allow access to said secure memory.
 43. Amethod as claimed in claim 42, wherein the at least one table comprisesa non-secure table for use when the processor is operating in said atleast one non-secure mode and containing descriptors generated by thenon-secure operating system, in the event that a descriptor within thatnon-secure table is associated with a memory region that at leastpartially incorporates a part of the secure memory, the methodcomprising the step of: when the processor is operating in non-securemode, employing the further partition checking logic to prevent theinternal storage unit from storing as access control information thephysical address portion specified by that descriptor if the physicaladdress that would then be produced for the virtual address is withinthe secure memory, and wherein the at least one table further comprisesa secure table within the secure memory that contains descriptorsgenerated by the secure operating system, the main TLB comprising a flagassociated with each descriptor stored within the main TLB, and themethod comprising the step of: when a descriptor is stored in the mainTLB, setting the associated flag to identify whether that descriptor isfrom said non-secure table or said secure table.
 44. A method as claimedin claim 43, further comprising the step of: flushing the micro-TLBwhenever the mode of operation of the processor changes between a securemode and a non-secure mode; in the secure mode, only transferring accesscontrol information to the micro-TLB from a descriptor in the main TLBthat said associated flag indicates is from the secure table; and in thenon-secure mode, only transferring access control information to themicro-TLB from a descriptor in the main TLB that said associated flagindicates is from the non-secure table.
 45. A method as claimed in claim40, wherein the at least one table comprises a non-secure table for usewhen the processor is operating in said at least one non-secure mode andcontaining descriptors generated by the non-secure operating system, inthe event that a descriptor within that non-secure table is associatedwith a memory region that at least partially incorporates a part of thesecure memory, the method comprising the step of: when the processor isoperating in non-secure mode, employing the further partition checkinglogic to prevent the internal storage unit from storing as accesscontrol information the physical address portion specified by thatdescriptor if the physical address that would then be produced for thevirtual address is within the secure memory.
 46. A method as claimed inclaim 34, wherein the memory comprises at least one table containing foreach of a number of memory regions an associated descriptor, the methodcomprising the steps of: providing within a memory management unit aninternal storage unit for storing access control information derivedfrom the descriptors and used by the memory management unit to performthe predetermined access control functions for the memory accessrequest; and when the processor is operating in said at least onenon-secure mode, employing the further partition checking logic toprevent the internal storage unit from storing access controlinformation that would allow access to said secure memory, and whereinsaid at least one table comprises at least one page table.
 47. A methodas claimed in claim 34, wherein the further memory comprises a tightlycoupled memory connected to the system bus, the method comprising thesteps of: defining in a control register the physical address range forthe tightly coupled memory; and setting, by the processor when operatingin a privileged secure mode, a control flag to indicate whether thetightly coupled memory is controllable by the processor only whenexecuting in a privileged secure mode or is controllable by theprocessor when executing in the at least one non-secure mode.
 48. Amethod as claimed in claim 47, wherein if the tightly coupled memory iscontrollable by the processor when executing in the at least onenon-secure mode, secure data is prevented from being stored in thetightly coupled memory.
 49. A data processing apparatus, comprising: adevice bus; a plurality of devices coupled to the device bus and atleast one of the devices operable in a plurality of modes and either asecure domain or a non-secure domain, including at least one non-securemode being a mode in the non-secure domain and at least one secure modebeing a mode in the secure domain; a memory coupled to the device busand operable to store data required by the devices, the memory dividedbetween comprising secure memory for storing secure data and non-securememory for storing non-secure data, each of the devices being operableto issue onto the device bus a memory access request when access to anitem of data in the memory is required, each memory access requestpertaining to either said secure domain or said non-secure domain; andpartition checking logic coupled to the device bus and operable whenevera memory access request is issued by any of the devices when operatingin said at least one non-secure mode to detect if the memory accessrequest is seeking to access the secure memory, and upon such detectionto prevent the access specified by that memory access request.
 50. Amethod of controlling access to a memory in a data processing apparatus,the data processing apparatus comprising a device bus, a plurality ofdevices coupled to the device bus, at least one of the devices beingoperable in a plurality of modes and either a secure domain or anon-secure domain, including at least one non-secure mode being a modein the non-secure domain and at least one secure mode being a mode inthe secure domain, and a memory coupled to the device bus and operableto store data required by the devices, the memory divided between securememory for storing secure data and non-secure memory for storingnon-secure data, the method comprising the steps of: (i) issuing fromany of the devices onto the device bus a memory access request whenaccess to an item of data in the memory is required, each memory accesspertaining to either said secure domain or said non-secure domain; and(ii) whenever the memory access request is issued by any of the deviceswhen operating in said at least one non-secure mode, employing partitionchecking logic coupled to the device bus to detect if the memory accessrequest is seeking to access the secure memory; and (iii) upon suchdetection, preventing the access specified by that memory accessrequest.